From 11bbcdfe1e287ab2ed7cf2b49f36f249f09def37 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Mon, 10 Nov 2025 15:57:31 +0100
Subject: [PATCH] SECURITY: Escape system messages in autocomments

Bug: T409737
Change-Id: I8505700afda8096ef4e183280494232152767004
---
 lib/includes/Formatters/AutoCommentFormatter.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/includes/Formatters/AutoCommentFormatter.php b/lib/includes/Formatters/AutoCommentFormatter.php
index 143ef881cf..da19d00ffa 100644
--- a/lib/includes/Formatters/AutoCommentFormatter.php
+++ b/lib/includes/Formatters/AutoCommentFormatter.php
@@ -106,7 +106,7 @@ class AutoCommentFormatter {
 			return wfEscapeWikiText( $arg );
 		}, $args );
 		// render the autocomment
-		$auto = $msg->params( $args )->parse();
+		$auto = $msg->params( $args )->escaped();
 		return $auto;
 	}
 
-- 
2.52.0