From ce8db08ead6bab482cb89bc4f369f4f0d086aad1 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Thu, 17 Apr 2025 22:31:34 -0400
Subject: [PATCH] SECURITY: API: Escape i18n messages in
 action=feedcontributions

This is the same issue as CVE-2025-32072 (T386175), except in the
API's feedcontributions module. Escape the "Contributions" and
"colon-separator" messages so administrators cannot inject HTML
into them, triggering a potential XSS in feed readers.

Bug: T392276
Change-Id: Ic590a0d0cfc0a4a1e61859ecc57a175a8f5ec098
---
 includes/api/ApiFeedContributions.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/api/ApiFeedContributions.php b/includes/api/ApiFeedContributions.php
index b2b36bbfd6d..c0c429d3c23 100644
--- a/includes/api/ApiFeedContributions.php
+++ b/includes/api/ApiFeedContributions.php
@@ -111,7 +111,7 @@ class ApiFeedContributions extends ApiBase {
 			$this->dieWithError( 'apierror-sizediffdisabled' );
 		}
 
-		$msg = $this->msg( 'Contributions' )->inContentLanguage()->text();
+		$msg = $this->msg( 'Contributions' )->inContentLanguage()->escaped();
 		$feedTitle = $config->get( MainConfigNames::Sitename ) . ' - ' . $msg .
 			' [' . $config->get( MainConfigNames::LanguageCode ) . ']';
 
@@ -235,7 +235,7 @@ class ApiFeedContributions extends ApiBase {
 	 * @return string
 	 */
 	protected function feedItemDesc( RevisionRecord $revision ) {
-		$msg = $this->msg( 'colon-separator' )->inContentLanguage()->text();
+		$msg = $this->msg( 'colon-separator' )->inContentLanguage()->escaped();
 		try {
 			$content = $revision->getContent( SlotRecord::MAIN );
 		} catch ( RevisionAccessException $e ) {
-- 
2.49.0