SECURITY: properly escape output used within galleries and Special:RevisionDelete

* Sanitize $img->getDimensionsString() within TraditionalImageGallery.php

* Sanitize width, height, nbytes messages within RevDelFileItem.php

Bug: T297543
Change-Id: I586a052595ecdc976476d4330510750a59099648

2 files changed, 5 insertions, 3 deletions

diff --git a/includes/gallery/TraditionalImageGallery.php b/includes/gallery/TraditionalImageGallery.php
index b5e155a1efac..9dc4579aa58d 100644
--- a/includes/gallery/TraditionalImageGallery.php
+++ b/includes/gallery/TraditionalImageGallery.php
@@ -214,7 +214,7 @@ class TraditionalImageGallery extends ImageGalleryBase {
 			$meta = [];
 			if ( $img ) {
 				if ( $this->mShowDimensions ) {
-					$meta[] = $img->getDimensionsString();
+					$meta[] = htmlspecialchars( $img->getDimensionsString() );
 				}
 				if ( $this->mShowBytes ) {
 					$meta[] = htmlspecialchars( $lang->formatSize( $img->getSize() ) );
diff --git a/includes/revisiondelete/RevDelFileItem.php b/includes/revisiondelete/RevDelFileItem.php
index d4c1a013c7c4..851647a0629a 100644
--- a/includes/revisiondelete/RevDelFileItem.php
+++ b/includes/revisiondelete/RevDelFileItem.php
@@ -204,8 +204,10 @@ class RevDelFileItem extends RevDelItem {
 	public function getHTML() {
 		$data =
 			$this->list->msg( 'widthheight' )->numParams(
-				$this->file->getWidth(), $this->file->getHeight() )->text() .
-			' (' . $this->list->msg( 'nbytes' )->numParams( $this->file->getSize() )->text() . ')';
+				$this->file->getWidth(),
+				$this->file->getHeight() )->escaped() .
+			' (' . $this->list->msg( 'nbytes' )->numParams(
+				$this->file->getSize() )->escaped() . ')';
 
 		return '<li>' . $this->getLink() . ' ' . $this->getUserTools() . ' ' .
 			$data . ' ' . $this->getComment() . '</li>';