SECURITY: Escape username in invalid username error

POST request with invalid usernames to SpecialScratchOAuth2 page in ScratchOAuth2 may lead to reflected cross-site scripting.
ScratchVerifier · Apr 12, 2021 · 1603f04 · 1603f04
1 parent d856dc7
commit 1603f04
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/includes/special/SpecialScratchOAuth2.php b/includes/special/SpecialScratchOAuth2.php
@@ -69,7 +69,7 @@ public function specialLogin( $error = null ) {
 			$username = $request->getVal( 'username', '', );
 			if (!preg_match(SOA2_USERNAME_REGEX, $username)) {
 				$this->specialLogin(
-					wfMessage('soa2-invalid-username', $username)->plain()
+					wfMessage('soa2-invalid-username')->plaintextParams($username)->parse()
 				);
 				return;
 			}