From 6b50dc0e5434b933ee12c58ab23e555121de44a7 Mon Sep 17 00:00:00 2001
From: BlankEclair <blankeclair@disroot.org>
Date: Sat, 11 Jan 2025 14:19:17 +1100
Subject: [PATCH] SECURITY: Fix XSSes

Bug: T383472
Change-Id: Ic5b5ce8f7791026eff1aafffb32a68f3aab119be
---
 src/Setup.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/Setup.php b/src/Setup.php
index 545ea4e..f02216f 100644
--- a/src/Setup.php
+++ b/src/Setup.php
@@ -2,6 +2,7 @@
 
 namespace MediaWiki\Extension\SimpleCalendar;
 
+use Html;
 use Parser;
 use Title;
 
@@ -82,10 +83,10 @@ class Setup {
 		if ( empty( $d ) ) {
 			$d = 7;
 		}
-		$month = wfMessage( strtolower( date( 'F', $ts ) ) )->text();
+		$month = wfMessage( strtolower( date( 'F', $ts ) ) )->escaped();
 		$days = [];
 		foreach ( [ 'M', 'T', 'W', 'T', 'F', 'S', 'S' ] as $i => $day ) {
-			$days[] = $dayformat ? wfMessage( date( $dayformat, mktime( 0, 0, 0, 2, $i, 2000 ) ) )->text() : $day;
+			$days[] = $dayformat ? wfMessage( date( $dayformat, mktime( 0, 0, 0, 2, $i, 2000 ) ) )->escaped() : $day;
 		}
 		$table = "\n<table border class=\"month\">\n\t<tr class=\"heading\"><th colspan=\"7\">$month</th></tr>\n";
 		$table .= "\t<tr class=\"dow\"><th>" . implode( '</th><th>', $days ) . "</th></tr>\n";
@@ -108,7 +109,11 @@ class Setup {
 				} else {
 					$url = "Bad title: \"$ttext\" (using format \"$format\")";
 				}
-				$table .= "\t\t<td class='$class$t'><a href=\"$url\">$day</a></td>\n";
+				$table .= "\t\t";
+				$table .= Html::rawElement( 'td', [ 'class' => "$class$t" ],
+					Html::element( 'a', [ 'href' => $url ], $day )
+				);
+				$table .= "\n";
 			}
 		}
 		$last = date( "t", $ts );
-- 
2.47.1