From b30858d19a438d4855169b995de6414b45d3ff83 Mon Sep 17 00:00:00 2001 From: sbassett Date: Thu, 5 Mar 2020 16:50:30 -0600 Subject: [PATCH] SECURITY: Mitigate potential XSS within UserGroupMembership UserGroupMembership::getLink() can render an XSS if the group-membership-link-with-expiry message is altered to include executable JavaScript. This function is called within a few portions of Mediawiki core and extension code, including within the Special:UserRights page. Bug: T236509 --- includes/user/UserGroupMembership.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/user/UserGroupMembership.php b/includes/user/UserGroupMembership.php index 4da7125931..bdb5018ee4 100644 --- a/includes/user/UserGroupMembership.php +++ b/includes/user/UserGroupMembership.php @@ -420,7 +420,7 @@ class UserGroupMembership { $groupLink = Message::rawParam( $groupLink ); } return $context->msg( 'group-membership-link-with-expiry' ) - ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text(); + ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->parse(); } return $groupLink; } -- 2.22.0