From 65b8d7e3ae0df5ea328c78ebd862395254993605 Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sat, 30 Oct 2021 22:19:38 +0200
Subject: [PATCH] SECURITY: Escape description before outputing it in
 action=info

Bug: T294693
Change-Id: I3cd080a1a7dacd7396d37ee0c98cff0b4e241f8d
---
 client/includes/Hooks/InfoActionHookHandler.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/includes/Hooks/InfoActionHookHandler.php b/client/includes/Hooks/InfoActionHookHandler.php
index b7b23f2413..87e0307439 100644
--- a/client/includes/Hooks/InfoActionHookHandler.php
+++ b/client/includes/Hooks/InfoActionHookHandler.php
@@ -177,7 +177,7 @@ class InfoActionHookHandler implements InfoActionHook {
 		return [
 			// messages: wikibase-pageinfo-description-local, wikibase-pageinfo-description-central
 			$context->msg( 'wikibase-pageinfo-description-' . $source )->parse(),
-			$description
+			htmlspecialchars( $description )
 		];
 	}
 
-- 
2.20.1