From 0a6ce0bf88ae29718baacbebd1e2aefaf11a17b1 Mon Sep 17 00:00:00 2001
From: Amir Sarabadani <Ladsgroup@gmail.com>
Date: Sat, 7 Dec 2019 23:36:42 +0100
Subject: [PATCH] SECURITY: Do not allow user scripts on Special:PasswordReset

Bug: T192134
Change-Id: If5e91452f2e569476626bcf650ba4efaa122952c
---
 includes/specials/SpecialPasswordReset.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php
index c1d30ee58c..63490e4925 100644
--- a/includes/specials/SpecialPasswordReset.php
+++ b/includes/specials/SpecialPasswordReset.php
@@ -74,6 +74,15 @@ class SpecialPasswordReset extends FormSpecialPage {
 		parent::checkExecutePermissions( $user );
 	}
 
+	/**
+	 * @param string $par
+	 */
+	public function execute( $par ) {
+		$out = $this->getOutput();
+		$out->disallowUserJs();
+		parent::execute( $par );
+	}
+
 	protected function getFormFields() {
 		$resetRoutes = $this->getConfig()->get( 'PasswordResetRoutes' );
 		$a = [];
-- 
2.20.1