From c76d5bed82bb7e567f14eba71e5bd7a48609058f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Tue, 12 Nov 2024 21:49:00 +0100
Subject: [PATCH] [SECURITY] Fix unescaped i18n message use in captcha label

Bug: T379677
Change-Id: Ib9079feead4bfe0f1fd2c832c6cabb6eb7149534
---
 includes/FancyCaptcha/HTMLFancyCaptchaField.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git includes/FancyCaptcha/HTMLFancyCaptchaField.php includes/FancyCaptcha/HTMLFancyCaptchaField.php
index 72e461f8..12b0227e 100644
--- includes/FancyCaptcha/HTMLFancyCaptchaField.php
+++ includes/FancyCaptcha/HTMLFancyCaptchaField.php
@@ -89,8 +89,8 @@ class HTMLFancyCaptchaField extends HTMLFormField {
 	public function getLabel() {
 		// slight abuse of what getLabel() should mean; $mLabel is used for the pre-label text
 		// as the actual label is always the same
-		return $this->mParent->msg( 'captcha-label' )->text() . ' '
-			. $this->mParent->msg( 'fancycaptcha-captcha' )->text();
+		return $this->mParent->msg( 'captcha-label' )->escaped() . ' '
+			. $this->mParent->msg( 'fancycaptcha-captcha' )->escaped();
 	}
 
 	/** @inheritDoc */
-- 
2.34.1