From ab04c125007cabf717b8d7b620226f310d4ae810 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Szab=C3=B3?= <mszabo@wikimedia.org>
Date: Thu, 15 May 2025 17:13:25 +0200
Subject: [PATCH] SECURITY: Escape messages in IPInfo frontend

Why:

- The content of several i18n messages is output unescaped in the IPInfo
  infobox and popup.

What:

- Use mw.message( ... ).escape() to escape affected messages that are
  used in HTML construction.

Bug: T394393
Change-Id: Ibb9b7dcb04f551a3da32e9de09a8ac11caa2a3aa
---
 modules/ext.ipInfo/infobox/widget.js | 2 +-
 modules/ext.ipInfo/widget.js         | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/ext.ipInfo/infobox/widget.js b/modules/ext.ipInfo/infobox/widget.js
index efd5f7b..6e2a838 100644
--- a/modules/ext.ipInfo/infobox/widget.js
+++ b/modules/ext.ipInfo/infobox/widget.js
@@ -104,7 +104,7 @@ ipInfoInfoboxWidget.prototype.buildMarkup = function ( info ) {
 	// Possible message keys used here:
 	// * ipinfo-value-ipversion-ipv4
 	// * ipinfo-value-ipversion-ipv6
-	const ipVersionText = ipversion ? mw.msg( `ipinfo-value-ipversion-${ ipversion }` ) : '';
+	const ipVersionText = ipversion ? mw.message( `ipinfo-value-ipversion-${ ipversion }` ).escaped() : '';
 
 	let $numIPAddresses = $( '' );
 	if ( info.data[ 'ipinfo-source-ip-count' ].numIPAddresses ) {
diff --git a/modules/ext.ipInfo/widget.js b/modules/ext.ipInfo/widget.js
index cc47f19..e80e1f2 100644
--- a/modules/ext.ipInfo/widget.js
+++ b/modules/ext.ipInfo/widget.js
@@ -201,7 +201,7 @@ ipInfoWidget.prototype.getActiveBlocks = function ( numActiveBlocks ) {
 	if ( numActiveBlocks === undefined ) {
 		return undefined;
 	}
-	return mw.msg( 'ipinfo-value-active-blocks', numActiveBlocks );
+	return mw.message( 'ipinfo-value-active-blocks', numActiveBlocks ).escaped();
 };
 
 /**
@@ -216,9 +216,9 @@ ipInfoWidget.prototype.getEdits = function ( numLocalEdits, numRecentEdits, numD
 	if ( numLocalEdits === undefined && numRecentEdits === undefined ) {
 		return undefined;
 	}
-	const localEdits = mw.msg( 'ipinfo-value-local-edits', numLocalEdits );
+	const localEdits = mw.message( 'ipinfo-value-local-edits', numLocalEdits ).escaped();
 	const $recentEdits = $( '<span>' ).addClass( 'ext-ipinfo-widget-value-recent-edits' )
-		.append( mw.msg( 'ipinfo-value-recent-edits', numRecentEdits ) );
+		.append( mw.message( 'ipinfo-value-recent-edits', numRecentEdits ).escaped() );
 
 	const $edits = $( '<span>' ).append(
 		localEdits,
@@ -229,7 +229,7 @@ ipInfoWidget.prototype.getEdits = function ( numLocalEdits, numRecentEdits, numD
 
 	if ( numDeletedEdits !== undefined ) {
 		$edits.append(
-			mw.msg( 'ipinfo-value-deleted-edits', numDeletedEdits ),
+			mw.message( 'ipinfo-value-deleted-edits', numDeletedEdits ).escaped(),
 			$( '<br>' )
 		);
 	}
-- 
2.49.0