From 11155a8ca858a95f59d8907c3123628458fdb0b1 Mon Sep 17 00:00:00 2001
From: Dylan F <git@dylanfarrar.com>
Date: Sat, 26 Apr 2025 02:40:29 +0100
Subject: [PATCH] SECURITY: Escape usernames in HTMLUserTextField validation
 errors

The HTMLUserTextField is accessible to logged-out users on private wikis
through Special:PasswordReset. Validation error messages returned by this
field included unescaped usernames parsed as wikitext. This allowed
logged-out attackers arbitrary access to the parser, enabling them to
reveal page contents through transclusion, e.g., "{{:Private page}}".

Escape the username parameter using wfEscapeWikiText() to prevent
wikitext interpretation in error messages.

Bug: T392746
---
 includes/htmlform/fields/HTMLUserTextField.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/htmlform/fields/HTMLUserTextField.php b/includes/htmlform/fields/HTMLUserTextField.php
index d19c50c9f71..a9a499de1c9 100644
--- a/includes/htmlform/fields/HTMLUserTextField.php
+++ b/includes/htmlform/fields/HTMLUserTextField.php
@@ -67,14 +67,14 @@ class HTMLUserTextField extends HTMLTextField {
 				// Treat hidden users as unregistered if current user can't view them (T309894)
 				!( $user->isHidden() && !( $this->mParent && $this->mParent->getUser()->isAllowed( 'hideuser' ) ) )
 			) ) {
-				return $this->msg( 'htmlform-user-not-exists', $user->getName() );
+				return $this->msg( 'htmlform-user-not-exists',  wfEscapeWikiText( $user->getName() ) );
 			}
 
 			// check if the user account type matches the account type filter
 			$excludeNamed = $this->mParams['excludenamed'] ?? null;
 			$excludeTemp = $this->mParams['excludetemp'] ?? null;
 			if ( ( $excludeTemp && $user->isTemp() ) || ( $excludeNamed && $user->isNamed() ) ) {
-				return $this->msg( 'htmlform-user-not-valid', $user->getName() );
+				return $this->msg( 'htmlform-user-not-valid', wfEscapeWikiText( $user->getName() ) );
 			}
 		} else {
 			// not a valid username
@@ -102,7 +102,7 @@ class HTMLUserTextField extends HTMLTextField {
 				}
 			}
 			if ( !$valid ) {
-				return $this->msg( 'htmlform-user-not-valid', $value );
+				return $this->msg( 'htmlform-user-not-valid', wfEscapeWikiText( $value ) );
 			}
 		}
 
-- 
2.39.2