From 032ce85074c4f48f7a2238b187774b551e765d62 Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sat, 21 Aug 2021 21:34:16 +0200
Subject: [PATCH] SECURITY: Fix a bunch of XSS holes in Mentor dashboard

Pattern: $('<el>').append(<unescaped string>)

Solution: use .text() instead of .append(), which
makes jQuery to escape the string. Alternative solution
would be to use mw.message(...).escaped() or
mw.message(...).parse() instead.

Bug: T289408
Change-Id: I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6
---
 ...riments.MentorDashboard.MenteeOverview.FilterDropdown.js | 4 ++--
 .../ext.growthExperiments.MentorDashboard.MenteeOverview.js | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
index ace41f15..6265c30c 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
@@ -32,7 +32,7 @@
 		this.$filterDropdown = $( '<div>' )
 			.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-filter-dropdown' )
 			.append(
-				$( '<h3>' ).append(
+				$( '<h3>' ).text(
 					mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline' )
 				),
 				$( '<div>' )
@@ -48,7 +48,7 @@
 						} ).$element
 					),
 				$( '<hr>' ),
-				$( '<h3>' ).append(
+				$( '<h3>' ).text(
 					mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline' )
 				),
 				new OO.ui.FieldLayout( this.filterDropdownOnlyStarred, {
diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
index 130b29ab..fe07c7eb 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
@@ -116,7 +116,7 @@
 		return $( '<td>' )
 			.attr( 'data-field', fieldName )
 			.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-value' )
-			.append( value );
+			.text( value );
 	};
 
 	MenteeOverview.prototype.sortTable = function ( field, dir ) {
@@ -218,11 +218,11 @@
 															'href',
 															( new mw.Title( userData.username, 2 ) ).getUrl()
 														)
-														.append( userData.username )
+														.text( userData.username )
 												),
 											$( '<span>' )
 												.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-activity' )
-												.append( mw.msg(
+												.text( mw.msg(
 													'growthexperiments-mentor-dashboard-mentee-overview-active-ago',
 													userData.last_active.human
 												) )
-- 
2.20.1