From ac419f7ae01d4eabee03de82e7e0d0a7f89ed99f Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 13 Mar 2017 21:20:02 +0000
Subject: [PATCH 05/10] SECURITY: Escape wikitext content model/format in
 message

Escape wikitext in model= and format= url parameter to
edit page. This goes along with 1c788944 to help prevent
XSS for wikis with $wgRawHtml = true; set.

Bug: T156184
Change-Id: Ifcaa2ccf05a2a691d0b150e2f7e0e765db25fc7f
---
 RELEASE-NOTES-1.28    | 1 +
 includes/EditPage.php | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index a8064da..f143ca2 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -23,6 +23,7 @@ This is not a release yet!
   their values out of the logs.
 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
   token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
 
 == MediaWiki 1.28 ==
 
diff --git a/includes/EditPage.php b/includes/EditPage.php
index a9d1c48..a563b27 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1015,7 +1015,7 @@ class EditPage {
 			throw new ErrorPageError(
 				'editpage-invalidcontentmodel-title',
 				'editpage-invalidcontentmodel-text',
-				[ $this->contentModel ]
+				[ wfEscapeWikiText( $this->contentModel ) ]
 			);
 		}
 
@@ -1023,7 +1023,10 @@ class EditPage {
 			throw new ErrorPageError(
 				'editpage-notsupportedcontentformat-title',
 				'editpage-notsupportedcontentformat-text',
-				[ $this->contentFormat, ContentHandler::getLocalizedName( $this->contentModel ) ]
+				[
+					wfEscapeWikiText( $this->contentFormat ),
+					wfEscapeWikiText( ContentHandler::getLocalizedName( $this->contentModel ) )
+				]
 			);
 		}
 
-- 
2.9.3