CVE-2025-32956: Mediawiki Htmlform Options Xss
Found use of unescaped localized message text (e.g., `text()` or `plain()`) as an array key in an HTMLForm 'options' array. HTMLForms output 'options' keys as raw HTML labels, introducing a Cross-Site Scripting (XSS) vulnerability. Use the 'options-messages' property instead, where keys are treated directly as message identifiers safely, or manually escape w
greprules fetch cve-2025-32956-mediawiki-htmlform-options-xss --engine opengrepDescription
Found use of unescaped localized message text (e.g., `text()` or `plain()`) as an array key in an HTMLForm 'options' array. HTMLForms output 'options' keys as raw HTML labels, introducing a Cross-Site Scripting (XSS) vulnerability. Use the 'options-messages' property instead, where keys are treated directly as message identifiers safely, or manually escape w
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.