From df16704716d6ade250ae6bbba8f29335bf72d750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Tue, 16 Feb 2021 22:33:09 +0100
Subject: [PATCH] SECURITY: Escape the wikitext of parse warning messages in
 live preview

Bug: T274883
Change-Id: I3a57a823fac94a56ce0211e22227499c0c7b2a51
---
 resources/src/mediawiki.action/mediawiki.action.edit.preview.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/src/mediawiki.action/mediawiki.action.edit.preview.js b/resources/src/mediawiki.action/mediawiki.action.edit.preview.js
index d5358d42d03..81c8dc6b439 100644
--- a/resources/src/mediawiki.action/mediawiki.action.edit.preview.js
+++ b/resources/src/mediawiki.action/mediawiki.action.edit.preview.js
@@ -270,7 +270,7 @@
 						)
 					);
 				response.parse.parsewarnings.forEach( function ( warning ) {
-					$previewHeader.find( '.warningbox' ).append( $( '<p>' ).append( warning ) );
+					$previewHeader.find( '.warningbox' ).append( $( '<p>' ).text( warning ) );
 				} );
 
 				if ( response.parse.text ) {
-- 
2.28.0.windows.1