From ce75f790bc5e7dd08818d3ad2dab685e0ef50de0 Mon Sep 17 00:00:00 2001
From: Fomafix <fomafix@googlemail.com>
Date: Wed, 13 Sep 2017 12:37:36 +0200
Subject: [PATCH] Skin.php: HTML escape message pipe-separator

This prevents HTML and JavaScript injections.

Change-Id: I6241dadf29e96aa1aa15324a3edc51538214345d
---
 includes/skins/Skin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/skins/Skin.php b/includes/skins/Skin.php
index df7a9edede..eaee0d2572 100644
--- a/includes/skins/Skin.php
+++ b/includes/skins/Skin.php
@@ -1611,7 +1611,7 @@ abstract class Skin extends ContextSource {
 
 		$result .= implode(
 			'<span class="mw-editsection-divider">'
-				. wfMessage( 'pipe-separator' )->inLanguage( $lang )->text()
+				. wfMessage( 'pipe-separator' )->inLanguage( $lang )->escaped()
 				. '</span>',
 			$linksHtml
 		);
-- 
2.20.1