From a89ef9b3b9cc4702c0f23443ae51df4f3bed7ecb Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Thu, 20 Sep 2018 06:28:40 +0000
Subject: [PATCH] Fix some double escaping, and some incorrect escaping for
 convert()

convert() is weird and requires things to be escaped before it
is called.

This fixes a bunch of phan-taint-check warnings.

Change-Id: I422b313ca05ff61ae05e06856347cc0de832cc49
---
 includes/preferences/DefaultPreferencesFactory.php | 2 +-
 includes/specialpage/LoginSignupSpecialPage.php    | 2 +-
 includes/specialpage/PageQueryPage.php             | 4 ++--
 includes/specials/SpecialAncientpages.php          | 4 ++--
 includes/specials/SpecialFewestrevisions.php       | 4 ++--
 includes/specials/SpecialFileDuplicateSearch.php   | 6 ++++--
 includes/specials/SpecialMIMEsearch.php            | 5 +++--
 includes/specials/SpecialMostlinkedcategories.php  | 5 +++--
 includes/specials/SpecialSearch.php                | 4 ++--
 includes/specials/SpecialUnwatchedpages.php        | 4 ++--
 includes/specials/SpecialWantedcategories.php      | 3 ++-
 11 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/includes/preferences/DefaultPreferencesFactory.php b/includes/preferences/DefaultPreferencesFactory.php
index 0da8c452fa..555493a8a3 100644
--- a/includes/preferences/DefaultPreferencesFactory.php
+++ b/includes/preferences/DefaultPreferencesFactory.php
@@ -338,7 +338,7 @@ class DefaultPreferencesFactory implements PreferencesFactory {
 					$lang->userTimeAndDate( $userRegistration, $displayUser ),
 					$lang->userDate( $userRegistration, $displayUser ),
 					$lang->userTime( $userRegistration, $displayUser )
-				)->parse(),
+				)->text(),
 				'section' => 'personal/info',
 			];
 		}
diff --git a/includes/specialpage/LoginSignupSpecialPage.php b/includes/specialpage/LoginSignupSpecialPage.php
index bf6c9bbfe9..e39ec5823d 100644
--- a/includes/specialpage/LoginSignupSpecialPage.php
+++ b/includes/specialpage/LoginSignupSpecialPage.php
@@ -611,7 +611,7 @@ abstract class LoginSignupSpecialPage extends AuthManagerSpecialPage {
 			$benefitList = '';
 			for ( $benefitIdx = 1; $benefitIdx <= $benefitCount; $benefitIdx++ ) {
 				$headUnescaped = $this->msg( "createacct-benefit-head$benefitIdx" )->text();
-				$iconClass = $this->msg( "createacct-benefit-icon$benefitIdx" )->escaped();
+				$iconClass = $this->msg( "createacct-benefit-icon$benefitIdx" )->text();
 				$benefitList .= Html::rawElement( 'div', [ 'class' => "mw-number-text $iconClass" ],
 					Html::rawElement( 'h3', [],
 						$this->msg( "createacct-benefit-head$benefitIdx" )->escaped()
diff --git a/includes/specialpage/PageQueryPage.php b/includes/specialpage/PageQueryPage.php
index ad66e319df..2f15800b5a 100644
--- a/includes/specialpage/PageQueryPage.php
+++ b/includes/specialpage/PageQueryPage.php
@@ -55,8 +55,8 @@ abstract class PageQueryPage extends QueryPage {
 
 		if ( $title instanceof Title ) {
 			$text = MediaWikiServices::getInstance()->getContentLanguage()->
-				convert( $title->getPrefixedText() );
-			return $this->getLinkRenderer()->makeLink( $title, $text );
+				convert( htmlspecialchars( $title->getPrefixedText() ) );
+			return $this->getLinkRenderer()->makeLink( $title, new HtmlArmor( $text ) );
 		} else {
 			return Html::element( 'span', [ 'class' => 'mw-invalidtitle' ],
 				Linker::getInvalidTitleDescription( $this->getContext(), $row->namespace, $row->title ) );
diff --git a/includes/specials/SpecialAncientpages.php b/includes/specials/SpecialAncientpages.php
index 088b060e61..4f691cb688 100644
--- a/includes/specials/SpecialAncientpages.php
+++ b/includes/specials/SpecialAncientpages.php
@@ -94,8 +94,8 @@ class AncientPagesPage extends QueryPage {
 		$linkRenderer = $this->getLinkRenderer();
 		$link = $linkRenderer->makeKnownLink(
 			$title,
-			MediaWikiServices::getInstance()->getContentLanguage()->
-				convert( $title->getPrefixedText() )
+			new HtmlArmor( MediaWikiServices::getInstance()->getContentLanguage()->
+				convert( htmlspecialchars( $title->getPrefixedText() ) ) )
 		);
 
 		return $this->getLanguage()->specialList( $link, htmlspecialchars( $d ) );
diff --git a/includes/specials/SpecialFewestrevisions.php b/includes/specials/SpecialFewestrevisions.php
index 4a57c95eb3..84454e2e7b 100644
--- a/includes/specials/SpecialFewestrevisions.php
+++ b/includes/specials/SpecialFewestrevisions.php
@@ -84,8 +84,8 @@ class FewestrevisionsPage extends QueryPage {
 		}
 		$linkRenderer = $this->getLinkRenderer();
 		$text = MediaWikiServices::getInstance()->getContentLanguage()->
-			convert( $nt->getPrefixedText() );
-		$plink = $linkRenderer->makeLink( $nt, $text );
+			convert( htmlspecialchars( $nt->getPrefixedText() ) );
+		$plink = $linkRenderer->makeLink( $nt, new HtmlArmor( $text ) );
 
 		$nl = $this->msg( 'nrevisions' )->numParams( $result->value )->text();
 		$redirect = isset( $result->redirect ) && $result->redirect ?
diff --git a/includes/specials/SpecialFileDuplicateSearch.php b/includes/specials/SpecialFileDuplicateSearch.php
index 3115adcfa6..98f60723e3 100644
--- a/includes/specials/SpecialFileDuplicateSearch.php
+++ b/includes/specials/SpecialFileDuplicateSearch.php
@@ -209,10 +209,12 @@ class FileDuplicateSearchPage extends QueryPage {
 	function formatResult( $skin, $result ) {
 		$linkRenderer = $this->getLinkRenderer();
 		$nt = $result->getTitle();
-		$text = MediaWikiServices::getInstance()->getContentLanguage()->convert( $nt->getText() );
+		$text = MediaWikiServices::getInstance()->getContentLanguage()->convert(
+			htmlspecialchars( $nt->getText() )
+		);
 		$plink = $linkRenderer->makeLink(
 			$nt,
-			$text
+			new HtmlArmor( $text )
 		);
 
 		$userText = $result->getUser( 'text' );
diff --git a/includes/specials/SpecialMIMEsearch.php b/includes/specials/SpecialMIMEsearch.php
index 18c163e138..2599b16300 100644
--- a/includes/specials/SpecialMIMEsearch.php
+++ b/includes/specials/SpecialMIMEsearch.php
@@ -186,10 +186,11 @@ class MIMEsearchPage extends QueryPage {
 	function formatResult( $skin, $result ) {
 		$linkRenderer = $this->getLinkRenderer();
 		$nt = Title::makeTitle( $result->namespace, $result->title );
-		$text = MediaWikiServices::getInstance()->getContentLanguage()->convert( $nt->getText() );
+		$text = MediaWikiServices::getInstance()->getContentLanguage()
+			->convert( htmlspecialchars( $nt->getText() ) );
 		$plink = $linkRenderer->makeLink(
 			Title::newFromText( $nt->getPrefixedText() ),
-			$text
+			new HtmlArmor( $text )
 		);
 
 		$download = Linker::makeMediaLinkObj( $nt, $this->msg( 'download' )->escaped() );
diff --git a/includes/specials/SpecialMostlinkedcategories.php b/includes/specials/SpecialMostlinkedcategories.php
index b80e518d82..52300f90eb 100644
--- a/includes/specials/SpecialMostlinkedcategories.php
+++ b/includes/specials/SpecialMostlinkedcategories.php
@@ -84,8 +84,9 @@ class MostlinkedCategoriesPage extends QueryPage {
 			);
 		}
 
-		$text = MediaWikiServices::getInstance()->getContentLanguage()->convert( $nt->getText() );
-		$plink = $this->getLinkRenderer()->makeLink( $nt, $text );
+		$text = MediaWikiServices::getInstance()->getContentLanguage()
+			->convert( new HtmlArmor( $nt->getText() ) );
+		$plink = $this->getLinkRenderer()->makeLink( $nt, new HtmlArmor( $text ) );
 		$nlinks = $this->msg( 'nmembers' )->numParams( $result->value )->escaped();
 
 		return $this->getLanguage()->specialList( $plink, $nlinks );
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index 86dcb721f8..d904ad16d3 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -568,9 +568,9 @@ class SpecialSearch extends SpecialPage {
 				'a',
 				[
 					'href' => $this->getPageTitle()->getLocalURL( $params ),
-					'title' => $this->msg( 'search-filter-title-prefix-reset' ),
+					'title' => $this->msg( 'search-filter-title-prefix-reset' )->text(),
 				],
-				$this->msg( 'search-filter-title-prefix-reset' )
+				$this->msg( 'search-filter-title-prefix-reset' )->text()
 			);
 			$subtitle .= ')';
 			$out->setSubtitle( $subtitle );
diff --git a/includes/specials/SpecialUnwatchedpages.php b/includes/specials/SpecialUnwatchedpages.php
index a3a9bc6f91..2cd74b7274 100644
--- a/includes/specials/SpecialUnwatchedpages.php
+++ b/includes/specials/SpecialUnwatchedpages.php
@@ -117,11 +117,11 @@ class UnwatchedpagesPage extends QueryPage {
 		}
 
 		$text = MediaWikiServices::getInstance()->getContentLanguage()->
-			convert( $nt->getPrefixedText() );
+			convert( htmlspecialchars( $nt->getPrefixedText() ) );
 
 		$linkRenderer = $this->getLinkRenderer();
 
-		$plink = $linkRenderer->makeKnownLink( $nt, $text );
+		$plink = $linkRenderer->makeKnownLink( $nt, new HtmlArmor( $text ) );
 		$wlink = $linkRenderer->makeKnownLink(
 			$nt,
 			$this->msg( 'watch' )->text(),
diff --git a/includes/specials/SpecialWantedcategories.php b/includes/specials/SpecialWantedcategories.php
index 2accef6f74..5c62298360 100644
--- a/includes/specials/SpecialWantedcategories.php
+++ b/includes/specials/SpecialWantedcategories.php
@@ -91,7 +91,8 @@ class WantedCategoriesPage extends WantedQueryPage {
 	 */
 	function formatResult( $skin, $result ) {
 		$nt = Title::makeTitle( $result->namespace, $result->title );
-		$text = MediaWikiServices::getInstance()->getContentLanguage()->convert( $nt->getText() );
+		$text = new HtmlArmor( MediaWikiServices::getInstance()->getContentLanguage()
+			->convert( htmlspecialchars( $nt->getText() ) ) );
 
 		if ( !$this->isCached() ) {
 			// We can assume the freshest data
-- 
2.20.1