From c45d590e65017211c37673d19ffa103595668243 Mon Sep 17 00:00:00 2001
From: Dreamy Jazz <wpgbrown@wikimedia.org>
Date: Mon, 19 May 2025 17:14:17 +0100
Subject: [PATCH] SECURITY: Fix i18n XSS vector in Special:CheckUser

Why:
* Special:CheckUser has a frontend JS summary table that reads
  usernames in the results from the 'data-username' property.
* This property is not properly HTML escaped in the associated
  mustache files.

What:
* Properly escape the username in GetActionsLine.mustache and
  GetUsersLine.mustache.

Bug: T394693
Change-Id: I159e14543912cb3bc7f4a00c3090c0285b154786
---
 templates/GetActionsLine.mustache | 2 +-
 templates/GetUsersLine.mustache   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/GetActionsLine.mustache b/templates/GetActionsLine.mustache
index 10bae977..41ac98f1 100644
--- a/templates/GetActionsLine.mustache
+++ b/templates/GetActionsLine.mustache
@@ -5,7 +5,7 @@
 	{{/showLinks}}
 	{{timestamp}}
 	<span class="mw-changeslist-separator"></span>
-	<span data-username="{{{userName}}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
+	<span data-username="{{userName}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
 		{{{userLink}}}
 	</span>
 	{{{userToolLinks}}}
diff --git a/templates/GetUsersLine.mustache b/templates/GetUsersLine.mustache
index c76eda33..718793fd 100644
--- a/templates/GetUsersLine.mustache
+++ b/templates/GetUsersLine.mustache
@@ -2,7 +2,7 @@
 	{{#canPerformBlocksOrLocks}}
 		<input type="checkbox" name="users[]" value="{{userText}}"/>
 	{{/canPerformBlocksOrLocks}}
-	<span data-username="{{{userText}}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
+	<span data-username="{{userText}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
 		{{{userLink}}}
 	</span>
 	{{{userToolLinks}}}
-- 
2.34.1