From 87a1a0893cd9ae6ed0c71a65e34b7e00cdf53c11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Szab=C3=B3?= <mszabo@wikimedia.org>
Date: Thu, 15 May 2025 17:26:36 +0200
Subject: [PATCH] SECURITY: Escape messages in IPInfo infobox

Why:

- The global contributions integration CheckUser provides for IPInfo's
  infobox is vulnerable to message key XSS.

What:

- Use mw.message( ... ).escaped() to escape the affected message before
  using it in HTML construction.

Bug: T394393
Change-Id: I66221bae94cf222531a7dc5622b2d43e01f7f8eb
---
 modules/ext.checkUser.ipInfo.hooks/infobox.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ext.checkUser.ipInfo.hooks/infobox.js b/modules/ext.checkUser.ipInfo.hooks/infobox.js
index 067dce5e..1e0710ce 100644
--- a/modules/ext.checkUser.ipInfo.hooks/infobox.js
+++ b/modules/ext.checkUser.ipInfo.hooks/infobox.js
@@ -15,7 +15,7 @@ function addSpecialGlobalContributionsLink( $info, info, generateMarkup, target,
 
 		const $globalContributionsCount = $( '<span>' )
 			.addClass( 'ipinfo-widget-value-global-contributions' )
-			.append( mw.msg( 'checkuser-ipinfo-global-contributions-value', globalContributionsCount ) );
+			.append( mw.message( 'checkuser-ipinfo-global-contributions-value', globalContributionsCount ).escaped() );
 		$globalContributions.append( $globalContributionsCount );
 		const globalContributionsUrl = mw.util.getUrl( 'Special:GlobalContributions', { target } );
 		const $globalContributionsLink = $( '<div>' )
-- 
2.49.0