From 57b005263dc894c7f90b31c83f23b51fe11e3a90 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Wed, 26 Nov 2025 22:49:32 +0100
Subject: [PATCH] SECURITY: Escape system messages used in edit summaries

Bug: T411144
Change-Id: Iff01940a163ed87ec52f3a64ba6b2dbfa2759df3
---
 includes/HomepageHooks.php                | 2 +-
 includes/Mentorship/Hooks/MentorHooks.php | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/HomepageHooks.php b/includes/HomepageHooks.php
index 56177da..d724829 100644
--- a/includes/HomepageHooks.php
+++ b/includes/HomepageHooks.php
@@ -1257,7 +1257,7 @@ class HomepageHooks implements
 			$messageParamsStr = $messageParts[ 1 ] ?? '';
 			$comment = wfMessage( $messageKey )
 				->numParams( ...explode( '|', $messageParamsStr ) )
-				->parse();
+				->escaped();
 		}
 	}
 
diff --git a/includes/Mentorship/Hooks/MentorHooks.php b/includes/Mentorship/Hooks/MentorHooks.php
index 988c723..ce7aeca 100644
--- a/includes/Mentorship/Hooks/MentorHooks.php
+++ b/includes/Mentorship/Hooks/MentorHooks.php
@@ -253,7 +253,7 @@ class MentorHooks implements
 			'growthexperiments-mentorship-enrollasmentor-summary',
 		];
 		if ( in_array( $auto, $noParamMessageKeys ) ) {
-			$comment = wfMessage( $auto )->text();
+			$comment = wfMessage( $auto )->escaped();
 		}
 
 		$mentorChangeMessageKeys = [
@@ -277,7 +277,7 @@ class MentorHooks implements
 			$comment = wfMessage( $messageKey )
 				->params( ...explode( '|', $messageParts[1] ) )
 				->inContentLanguage()
-				->parse();
+				->escaped();
 		}
 	}
 
-- 
2.51.1