From 85eefd9359a69267a0a78919d4b8021646da8885 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Wed, 26 Nov 2025 22:49:32 +0100
Subject: [PATCH] SECURITY: Escape system messages used in edit summaries

Bug: T411144
Change-Id: Iff01940a163ed87ec52f3a64ba6b2dbfa2759df3
---
 includes/HomepageHooks.php                | 2 +-
 includes/Mentorship/Hooks/MentorHooks.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/HomepageHooks.php b/includes/HomepageHooks.php
index 56177da..d724829 100644
--- a/includes/HomepageHooks.php
+++ b/includes/HomepageHooks.php
@@ -1257,7 +1257,7 @@ class HomepageHooks implements
 			$messageParamsStr = $messageParts[ 1 ] ?? '';
 			$comment = wfMessage( $messageKey )
 				->numParams( ...explode( '|', $messageParamsStr ) )
-				->parse();
+				->escaped();
 		}
 	}
 
diff --git a/includes/Mentorship/Hooks/MentorHooks.php b/includes/Mentorship/Hooks/MentorHooks.php
index 988c723..6c7318c 100644
--- a/includes/Mentorship/Hooks/MentorHooks.php
+++ b/includes/Mentorship/Hooks/MentorHooks.php
@@ -277,7 +277,7 @@ class MentorHooks implements
 			$comment = wfMessage( $messageKey )
 				->params( ...explode( '|', $messageParts[1] ) )
 				->inContentLanguage()
-				->parse();
+				->escaped();
 		}
 	}
 
-- 
2.51.1