From c841379bf8d062fa13118a3df4ff6acda9d9761f Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
Date: Tue, 10 Jun 2025 16:11:24 +0200
Subject: [PATCH] SECURITY: Escape card title and description

mw.html is part of the mediawiki.base module, so no new ResourceLoader
dependency should be necessary.

Bug: T396413
Change-Id: SECURITY-I18f98a31ba40ff244c6944e2f9e1c4bee1319abf
---
 resources/ext.relatedArticles.readMore/RelatedArticles.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/ext.relatedArticles.readMore/RelatedArticles.js b/resources/ext.relatedArticles.readMore/RelatedArticles.js
index 997fabd0fa..f48fd61d62 100644
--- a/resources/ext.relatedArticles.readMore/RelatedArticles.js
+++ b/resources/ext.relatedArticles.readMore/RelatedArticles.js
@@ -26,8 +26,8 @@ const RelatedArticles = ( options ) => [
 							</span>` }
 						</span>
 						<span class="cdx-card__text">
-							<span class="cdx-card__text__title">${ card.label }</span>
-							<span class="cdx-card__text__description">${ card.description }</span>
+							<span class="cdx-card__text__title">${ mw.html.escape( card.label ) }</span>
+							<span class="cdx-card__text__description">${ mw.html.escape( card.description ) }</span>
 						</span>
 					</a>
 				</li>` ).join( '\n' ),
-- 
2.49.0