From 6c29e8c47ec16f917804690f37510fa05ab5b54d Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 13 Mar 2017 21:20:02 +0000
Subject: [PATCH] SECURITY: Escape wikitext content model/format in message

Escape wikitext in model= and format= url parameter to
edit page. This goes along with 1c788944 to help prevent
XSS for wikis with $wgRawHtml = true; set.

Bug: T156184
Change-Id: Ifcaa2ccf05a2a691d0b150e2f7e0e765db25fc7f
---
 RELEASE-NOTES-1.23    | 1 +
 includes/EditPage.php | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 1e5ba7e..775d6da 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -8,6 +8,7 @@ This is not a release yet!
 * (T68404) CSS3 attr() function with url type is no longer allowed
   in inline styles.
 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
+* (T156184) Escape content model/format url parameter in message.
 
 == MediaWiki 1.23.15 ==
 
diff --git a/includes/EditPage.php b/includes/EditPage.php
index 1fd23e2..ee19afa 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -801,7 +801,10 @@ class EditPage {
 			throw new ErrorPageError(
 				'editpage-notsupportedcontentformat-title',
 				'editpage-notsupportedcontentformat-text',
-				array( $this->contentFormat, ContentHandler::getLocalizedName( $this->contentModel ) )
+				array(
+					wfEscapeWikiText( $this->contentFormat ),
+					wfEscapeWikiText( ContentHandler::getLocalizedName( $this->contentModel ) )
+				)
 			);
 		}
 		#TODO: check if the desired model is allowed in this namespace, and if a transition from the page's current model to the new model is allowed
-- 
1.9.5 (Apple Git-50.3)