From d6e5827bc4473848d4ee9a016548d27e7e9a8997 Mon Sep 17 00:00:00 2001
From: BlankEclair <blankeclair@disroot.org>
Date: Mon, 2 Dec 2024 00:49:42 +1100
Subject: [PATCH] SECURITY: Escape interface messages used in Special:BadgeView

Bug: T381220
---
 includes/specials/BadgesPager.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/specials/BadgesPager.php b/includes/specials/BadgesPager.php
index 5d549d9..6b5fbf2 100644
--- a/includes/specials/BadgesPager.php
+++ b/includes/specials/BadgesPager.php
@@ -106,7 +106,7 @@ class BadgesPager extends TablePager {
 					'obl_badge_id' => $value,
 					'obl_receiver' => $userId
 				];
-				$assertLink = Html::rawElement(
+				$assertLink = Html::element(
 					'a',
 					[ 'href' => $apiUrl . http_build_query( $assertCall ) ],
 					wfMessage( 'ob-view-proof' )->text()
@@ -114,9 +114,9 @@ class BadgesPager extends TablePager {
 				return $assertLink;
 			case 'obl_badge_evidence':
 				if ( empty( $value ) ) {
-					return wfMessage( 'ob-view-no-evidence' )->text();
+					return wfMessage( 'ob-view-no-evidence' )->escaped();
 				} else {
-					$evidenceLink = Html::rawElement(
+					$evidenceLink = Html::element(
 						'a',
 						[ 'href' => $value ],
 						wfMessage( 'ob-view-evidence' )->text()
-- 
2.47.1