diff --git a/resources/ext.popups.renderer.article.js b/resources/ext.popups.renderer.article.js
index 972fa6a..698c588 100644
--- a/resources/ext.popups.renderer.article.js
+++ b/resources/ext.popups.renderer.article.js
@@ -147,6 +147,8 @@
* @return {String}
*/
article.getProcessedHtml = function ( extract, title ) {
+ extract = mw.html.escape( extract );
+ title = mw.html.escape( title );
title = title.replace( /([.?*+^$[\]\\(){}|-])/g, '\\$1' ); // Escape RegExp elements
var regExp = new RegExp( '(^|\\s)(' + title + ')(\\s|$)', 'ig' );
// Make title bold in the extract text
diff --git a/tests/qunit/ext.popups.renderer.article.test.js b/tests/qunit/ext.popups.renderer.article.test.js
index 1ebd7e1..f6fdf31 100644
--- a/tests/qunit/ext.popups.renderer.article.test.js
+++ b/tests/qunit/ext.popups.renderer.article.test.js
@@ -2,7 +2,7 @@
QUnit.module( 'ext.popups' );
QUnit.test( 'render.article.getProcessedHtml', function ( assert ) {
- QUnit.expect( 6 );
+ QUnit.expect( 7 );
function test ( extract, title, expected ) {
assert.equal(
@@ -41,6 +41,10 @@
'Brackets ) are funny ( when not used properly'
);
+ test(
+ 'Epic XSS is epic', 'Epic XSS',
+ 'Epic XSS <script>alert</script> is epic'
+ );
} );
} ) ( jQuery, mediaWiki );