From 01748b1cc1d4bfb5805273d74f4efccc4f5469e9 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 6 Jul 2018 01:02:45 +0000
Subject: [PATCH] ChangesList: HTML escape the timestamp

Bug: T197002
Change-Id: Ib695674b9dc28a2f864f330e578cee6a1a7a4219
---
 includes/changes/ChangesList.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/changes/ChangesList.php b/includes/changes/ChangesList.php
index facf29ea84..ac8b3d48d9 100644
--- a/includes/changes/ChangesList.php
+++ b/includes/changes/ChangesList.php
@@ -531,10 +531,10 @@ class ChangesList extends ContextSource {
 	public function getTimestamp( $rc ) {
 		// @todo FIXME: Hard coded ". .". Is there a message for this? Should there be?
 		return $this->message['semicolon-separator'] . '<span class="mw-changeslist-date">' .
-			$this->getLanguage()->userTime(
+			htmlspecialchars( $this->getLanguage()->userTime(
 				$rc->mAttribs['rc_timestamp'],
 				$this->getUser()
-			) . '</span> <span class="mw-changeslist-separator">. .</span> ';
+			) ) . '</span> <span class="mw-changeslist-separator">. .</span> ';
 	}
 
 	/**
-- 
2.20.1