From c6efb53f9c0894595a4625288e4e4bb212bf0a77 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Mon, 10 Nov 2025 15:57:31 +0100
Subject: [PATCH] SECURITY: Escape system messages in autocomments

Bug: T409737
Change-Id: I8505700afda8096ef4e183280494232152767004
---
 lib/includes/Formatters/AutoCommentFormatter.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/includes/Formatters/AutoCommentFormatter.php b/lib/includes/Formatters/AutoCommentFormatter.php
index a251abd8fe..408cc6e0f4 100644
--- a/lib/includes/Formatters/AutoCommentFormatter.php
+++ b/lib/includes/Formatters/AutoCommentFormatter.php
@@ -117,7 +117,7 @@ class AutoCommentFormatter {
 			return wfEscapeWikiText( $arg );
 		}, $args );
 		// render the autocomment
-		$auto = $msg->params( $args )->parse();
+		$auto = $msg->params( $args )->escaped();
 		return $icon . $auto;
 	}
 
-- 
2.51.1