While working on T216348 I have found an issue with messages userrights-expiry-current and userrights-expiry-none
Added with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/328377 back in 1.29
if ( $currentExpiry ) { $expiryFormatted = $uiLanguage->userTimeAndDate( $currentExpiry, $uiUser ); $expiryFormattedD = $uiLanguage->userDate( $currentExpiry, $uiUser ); $expiryFormattedT = $uiLanguage->userTime( $currentExpiry, $uiUser ); $expiryHtml = $this->msg( 'userrights-expiry-current' )->params( $expiryFormatted, $expiryFormattedD, $expiryFormattedT )->text(); } else { $expiryHtml = $this->msg( 'userrights-expiry-none' )->text(); }
The code is using Message::text here as many other places in the same function, but all the other places are passing the text through Xml::element or similiar and gets escaped.
The both message here does not gets escaped.
The leak can happen when a user visits Special:UserRights which does not have rights to change all userrights and the table on the left side has unchangeable groups in it. The right column with the changable groups is not effected and escape correctly.