SECURITY: UserGroupMembership: Fix HTML escaping in #getLink

In some cases, the return value would be either non-escaped or
double-escaped.

Bug: T236509

Change-Id: If56a9df5f815a58a11741c5e020bb2d43a692563
(cherry picked from commit a0d7e49f0941a5f7a7e9cbb396540572317f9ae6)

diff --git a/includes/user/UserGroupMembership.php b/includes/user/UserGroupMembership.php
index 2261fcb..6999937 100644 (file)
--- a/includes/user/UserGroupMembership.php
+++ b/includes/user/UserGroupMembership.php
@@ -398,15 +398,19 @@ class UserGroupMembership {
                // link to the group description page, if it exists
                $linkTitle = self::getGroupPage( $group );
                $linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer();
-               if ( $linkTitle ) {
-                       if ( $format === 'wiki' ) {
+               if ( $format === 'wiki' ) {
+                       if ( $linkTitle ) {
                                $linkPage = $linkTitle->getFullText();
                                $groupLink = "[[$linkPage|$groupName]]";
                        } else {
-                               $groupLink = $linkRenderer->makeLink( $linkTitle, $groupName );
+                               $groupLink = $groupName;
                        }
                } else {
-                       $groupLink = htmlspecialchars( $groupName );
+                       if ( $linkTitle ) {
+                               $groupLink = $linkRenderer->makeLink( $linkTitle, $groupName );
+                       } else {
+                               $groupLink = htmlspecialchars( $groupName );
+                       }
                }
 
                if ( $expiry ) {
@@ -416,11 +420,15 @@ class UserGroupMembership {
                        $expiryDT = $uiLanguage->userTimeAndDate( $expiry, $uiUser );
                        $expiryD = $uiLanguage->userDate( $expiry, $uiUser );
                        $expiryT = $uiLanguage->userTime( $expiry, $uiUser );
-                       if ( $format === 'html' ) {
+
+                       if ( $format === 'wiki' ) {
+                               return $context->msg( 'group-membership-link-with-expiry' )
+                                       ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
+                       } else {
                                $groupLink = Message::rawParam( $groupLink );
+                               return $context->msg( 'group-membership-link-with-expiry' )
+                                       ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->escaped();
                        }
-                       return $context->msg( 'group-membership-link-with-expiry' )
-                               ->params( $groupLink, $expiryDT, $expiryD, $expiryT )->text();
                }
                return $groupLink;
        }