fix: unescaped XSS in TabberTransclude page name

alistair3149 · alistair3149 · commit f229cab099c6 · 2025-01-04T15:48:41.000-05:00
GHSA-4x6x-8rm8-c37j
diff --git a/includes/TabberTransclude.php b/includes/TabberTransclude.php
@@ -151,7 +151,7 @@ private static function buildTabTransclude( array $tabData, Parser $parser, PPFr
 			if ( empty( $tabName ) ) {
 				$tabName = $pageName;
 			}
-			$tabBody = sprintf( '<div class="error">Invalid title: %s</div>', $pageName );
+			$tabBody = sprintf( '<div class="error">Invalid title: %s</div>', Sanitizer::escapeHtmlAllowEntities( $pageName ) );
 		} else {
 			$pageName = $title->getPrefixedText();
 			if ( empty( $tabName ) ) {

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@ private static function buildTabTransclude( array $tabData, Parser $parser, PPFr`
`151`	`151`	`if ( empty( $tabName ) ) {`
`152`	`152`	`$tabName = $pageName;`
`153`	`153`	`}`
`154`		`- $tabBody = sprintf( '<div class="error">Invalid title: %s</div>', $pageName );`
	`154`	`+ $tabBody = sprintf( '<div class="error">Invalid title: %s</div>', Sanitizer::escapeHtmlAllowEntities( $pageName ) );`
`155`	`155`	`} else {`
`156`	`156`	`$pageName = $title->getPrefixedText();`
`157`	`157`	`if ( empty( $tabName ) ) {`