From 9d01a88dfc3a5e9ca2ed87e9898b5af8e7e3ec9b Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Sun, 17 Aug 2025 23:15:32 +0200
Subject: [PATCH] SECURITY: Escape system messages before inserting them into
 HTML

This fixes a stored i18n XSS vulnerability.

Bug: T402146
Change-Id: I91bba2b570643ef74e6c210e7250e05cd2aa388e
---
 modules/ext.advancedSearch.defaultFields.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ext.advancedSearch.defaultFields.js b/modules/ext.advancedSearch.defaultFields.js
index 7eb323c..7ff8ae6 100644
--- a/modules/ext.advancedSearch.defaultFields.js
+++ b/modules/ext.advancedSearch.defaultFields.js
@@ -92,7 +92,7 @@ const getOptionHelpMessage = function ( id ) {
 	// * advancedsearch-field-plain
 	// * advancedsearch-field-sort
 	// * advancedsearch-field-subpageof
-	const head = mw.msg( 'advancedsearch-field-' + id );
+	const head = mw.message( 'advancedsearch-field-' + id ).escaped();
 	return new OO.ui.HtmlSnippet( '<h6 class="mw-advancedSearch-tooltip-head">' + head + '</h6>' +
 		'<div class="mw-advancedSearch-tooltip-body">' + message + '</div>' );
 };
-- 
2.50.1