HtmlString for handling of both HTML and plain text strings

wcfsetup/install/files/lib/acp/action/UserQuickSearchAction.class.php

@@ -11,6 +11,7 @@
 use wcf\system\menu\acp\ACPMenu;
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
+use wcf\util\HtmlString;
 
 /**
  * Provides special search options.
@@ -179,7 +180,9 @@ public function execute(): RedirectResponse
         }
 
         if (empty($this->matches)) {
-            throw new NamedUserException(WCF::getLanguage()->get('wcf.acp.user.search.error.noMatches'));
+            throw new NamedUserException(
+                HtmlString::fromSafeHtml(WCF::getLanguage()->get('wcf.acp.user.search.error.noMatches'))
+            );
         }
 
         // store search result in database

wcfsetup/install/files/lib/acp/form/LoginForm.class.php

@@ -25,6 +25,7 @@
 use wcf\system\user\authentication\UserAuthenticationFactory;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\HtmlString;
 use wcf\util\StringUtil;
 use wcf\util\UserUtil;
 
@@ -106,7 +107,9 @@ public function readParameters()
         if (ENABLE_USER_AUTHENTICATION_FAILURE) {
             $failures = UserAuthenticationFailure::countIPFailures(UserUtil::getIpAddress());
             if (USER_AUTHENTICATION_FAILURE_IP_BLOCK && $failures >= USER_AUTHENTICATION_FAILURE_IP_BLOCK) {
-                throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.user.login.blocked'));
+                throw new NamedUserException(HtmlString::fromSafeHtml(
+                    WCF::getLanguage()->getDynamicVariable('wcf.user.login.blocked')
+                ));
             }
             if (USER_AUTHENTICATION_FAILURE_IP_CAPTCHA && $failures >= USER_AUTHENTICATION_FAILURE_IP_CAPTCHA) {
                 $this->useCaptcha = true;

wcfsetup/install/files/lib/acp/form/PaidSubscriptionAddForm.class.php

@@ -15,6 +15,7 @@
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
 use wcf\util\ArrayUtil;
+use wcf\util\HtmlString;
 
 /**
  * Shows the paid subscription add form.
@@ -152,7 +153,9 @@ public function readParameters()
         );
 
         if (!\count(PaymentMethodHandler::getInstance()->getPaymentMethods())) {
-            throw new NamedUserException(WCF::getLanguage()->get('wcf.acp.paidSubscription.error.noPaymentMethods'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->get('wcf.acp.paidSubscription.error.noPaymentMethods')
+            ));
         }
 
         // get available currencies

wcfsetup/install/files/lib/acp/form/RescueModeForm.class.php

@@ -23,6 +23,7 @@
 use wcf\system\WCFACP;
 use wcf\util\FileUtil;
 use wcf\util\HeaderUtil;
+use wcf\util\HtmlString;
 use wcf\util\StringUtil;
 use wcf\util\UserUtil;
 
@@ -104,7 +105,9 @@ public function readParameters()
         if (ENABLE_USER_AUTHENTICATION_FAILURE) {
             $failures = UserAuthenticationFailure::countIPFailures(UserUtil::getIpAddress());
             if (USER_AUTHENTICATION_FAILURE_IP_BLOCK && $failures >= USER_AUTHENTICATION_FAILURE_IP_BLOCK) {
-                throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.user.login.blocked'));
+                throw new NamedUserException(HtmlString::fromSafeHtml(
+                    WCF::getLanguage()->getDynamicVariable('wcf.user.login.blocked')
+                ));
             }
         }
 
@@ -132,7 +135,9 @@ public function readParameters()
         )['count'] >= self::ALLOWED_ATTEMPTS_PER_1D_GLOBAL;
 
         if ($floodExceeded) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood')
+            ));
         }
 
         // read applications

wcfsetup/install/files/lib/acp/page/LicensePage.class.php

@@ -18,6 +18,7 @@
 use wcf\system\package\PackageUpdateDispatcher;
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
+use wcf\util\HtmlString;
 
 /**
  * Lists the licensed products and offers to install them.
@@ -98,11 +99,13 @@ public function readData()
                 throw $e;
             }
 
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable(
-                'wcf.acp.license.error.parsingFailed',
-                [
-                    'licenseData' => $licenseApi->readFromFile(),
-                ]
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable(
+                    'wcf.acp.license.error.parsingFailed',
+                    [
+                        'licenseData' => $licenseApi->readFromFile(),
+                    ]
+                )
             ));
         }
 
@@ -431,7 +434,7 @@ static function ($packageUpdateServerID) use ($trustedServerIDs) {
         $statement->execute($conditions->getParameters());
         $packageVersions = $statement->fetchMap('packageUpdateVersionID', 'packageVersion');
 
-        return \array_map(fn ($id) => $packageVersions[$id], $availablePackages);
+        return \array_map(fn($id) => $packageVersions[$id], $availablePackages);
     }
 
     /**

wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php

@@ -16,6 +16,7 @@
 use wcf\system\user\authentication\oauth\exception\StateValidationException;
 use wcf\system\user\authentication\oauth\User as OauthUser;
 use wcf\system\WCF;
+use wcf\util\HtmlString;
 use wcf\util\JSON;
 
 /**
@@ -199,7 +200,9 @@ protected function codeToAccessToken(string $code): array
 
     protected function handleError(string $error): ResponseInterface
     {
-        throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.user.3rdparty.login.error.' . $error));
+        throw new NamedUserException(HtmlString::fromSafeHtml(
+            WCF::getLanguage()->getDynamicVariable('wcf.user.3rdparty.login.error.' . $error)
+        ));
     }
 
     /**
@@ -263,8 +266,10 @@ public function execute()
         } catch (NamedUserException | PermissionDeniedException $e) {
             throw $e;
         } catch (StateValidationException $e) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable(
-                'wcf.user.3rdparty.login.error.stateValidation'
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable(
+                    'wcf.user.3rdparty.login.error.stateValidation'
+                )
             ));
         } catch (\Exception $e) {
             $exceptionID = \wcf\functions\exception\logThrowable($e);
@@ -274,11 +279,13 @@ public function execute()
                 $type = 'httpError';
             }
 
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable(
-                'wcf.user.3rdparty.login.error.' . $type,
-                [
-                    'exceptionID' => $exceptionID,
-                ]
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable(
+                    'wcf.user.3rdparty.login.error.' . $type,
+                    [
+                        'exceptionID' => $exceptionID,
+                    ]
+                )
             ));
         }
     }

wcfsetup/install/files/lib/action/AbstractOauth2AuthAction.class.php

@@ -29,6 +29,7 @@
 use wcf\system\user\authentication\oauth\Success as OAuth2Success;
 use wcf\system\user\authentication\oauth\User as OauthUser;
 use wcf\system\WCF;
+use wcf\util\HtmlString;
 use wcf\util\JSON;
 
 /**
@@ -73,11 +74,11 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         } catch (NamedUserException $e) {
             throw $e;
         } catch (StateValidationException $e) {
-            throw new NamedUserException(
+            throw new NamedUserException(HtmlString::fromSafeHtml(
                 WCF::getLanguage()->getDynamicVariable(
                     'wcf.user.3rdparty.login.error.stateValidation'
                 )
-            );
+            ));
         } catch (\Exception $e) {
             $exceptionID = \wcf\functions\exception\logThrowable($e);
 
@@ -86,14 +87,14 @@ public function handle(ServerRequestInterface $request): ResponseInterface
                 $type = 'httpError';
             }
 
-            throw new NamedUserException(
+            throw new NamedUserException(HtmlString::fromSafeHtml(
                 WCF::getLanguage()->getDynamicVariable(
                     'wcf.user.3rdparty.login.error.' . $type,
                     [
                         'exceptionID' => $exceptionID,
                     ]
                 )
-            );
+            ));
         }
     }
 
@@ -266,7 +267,7 @@ protected function processUser(OauthUser $oauthUser): ResponseInterface
                 // This account belongs to an existing user, but we are already logged in.
                 // This can't be handled.
 
-                throw new NamedUserException($this->getInUseErrorMessage());
+                throw new NamedUserException(HtmlString::fromSafeHtml($this->getInUseErrorMessage()));
             } else {
                 // This account belongs to an existing user, we are not logged in.
                 // Perform the login.
@@ -347,9 +348,9 @@ protected function redirectToRegistration(OauthUser $oauthUser): ResponseInterfa
 
     protected function handleError(OAuth2Failure $oauth2Failure): ResponseInterface
     {
-        throw new NamedUserException(
+        throw new NamedUserException(HtmlString::fromSafeHtml(
             WCF::getLanguage()->getDynamicVariable('wcf.user.3rdparty.login.error.' . $oauth2Failure->error)
-        );
+        ));
     }
 
     /**

wcfsetup/install/files/lib/data/moderation/queue/ModerationQueueReportAction.class.php

@@ -8,6 +8,7 @@
 use wcf\system\flood\FloodControl;
 use wcf\system\moderation\queue\ModerationQueueReportManager;
 use wcf\system\WCF;
+use wcf\util\HtmlString;
 use wcf\util\StringUtil;
 
 /**
@@ -198,7 +199,9 @@ public function validateReport()
             new \DateInterval('PT10M')
         );
         if ($requests['count'] >= self::ALLOWED_REPORTS_PER_10M) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood')
+            ));
         }
 
         $this->validatePrepareReport();

wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php

@@ -18,6 +18,7 @@
 use wcf\system\package\PackageUpdateUnauthorizedException;
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
+use wcf\util\HtmlString;
 
 /**
  * Executes package update-related actions.
@@ -598,7 +599,9 @@ public function validateSearchForUpdates()
         $this->readBoolean('ignoreCache', true);
 
         if (ENABLE_BENCHMARK) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.acp.package.searchForUpdates.benchmark'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable('wcf.acp.package.searchForUpdates.benchmark')
+            ));
         }
     }
 
@@ -728,7 +731,9 @@ public function validateRefreshDatabase()
         $this->readBoolean('ignoreCache', true);
 
         if (ENABLE_BENCHMARK) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.acp.package.searchForUpdates.benchmark'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable('wcf.acp.package.searchForUpdates.benchmark')
+            ));
         }
     }
 

wcfsetup/install/files/lib/data/search/SearchAction.class.php

@@ -11,6 +11,7 @@
 use wcf\system\search\SearchResultHandler;
 use wcf\system\search\SearchResultTextParser;
 use wcf\system\WCF;
+use wcf\util\HtmlString;
 
 /**
  * Executes search-related actions.
@@ -84,7 +85,9 @@ public function validateSearch(): void
             $requestsPer24h['count'] >= self::ALLOWED_REQUESTS_PER_24H
             || $requestsPer60s['count'] >= self::ALLOWED_REQUESTS_PER_60S
         ) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood')
+            ));
         }
     }
 

wcfsetup/install/files/lib/form/ContactForm.class.php

@@ -21,6 +21,7 @@
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\HtmlString;
 use wcf\util\UserUtil;
 
 /**
@@ -77,7 +78,9 @@ public function validate()
             new \DateInterval('PT10M')
         );
         if ($requests['count'] >= self::ALLOWED_MAILS_PER_10M) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable('wcf.page.error.flood')
+            ));
         }
 
         parent::validate();

wcfsetup/install/files/lib/form/EmailActivationForm.class.php

@@ -13,6 +13,7 @@
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\HtmlString;
 use wcf\util\StringUtil;
 
 /**
@@ -76,16 +77,16 @@ private function validateUserID(IntegerFormField $formField): void
         }
 
         if ($this->user->reactivationCode == 0) {
-            throw new NamedUserException(
+            throw new NamedUserException(HtmlString::fromSafeHtml(
                 WCF::getLanguage()->get('wcf.user.registerActivation.error.userAlreadyEnabled')
-            );
+            ));
         }
 
         // Check whether the new email isn't unique anymore.
         if (User::getUserByEmail($this->user->newEmail)->userID) {
-            throw new NamedUserException(
+            throw new NamedUserException(HtmlString::fromSafeHtml(
                 WCF::getLanguage()->get('wcf.user.email.error.notUnique')
-            );
+            ));
         }
     }
 

wcfsetup/install/files/lib/form/LostPasswordForm.class.php

@@ -21,6 +21,7 @@
 use wcf\system\user\authentication\configuration\UserAuthenticationConfigurationFactory;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\HtmlString;
 use wcf\util\UserUtil;
 
 /**
@@ -119,7 +120,9 @@ public function validate()
             new \DateInterval('PT24H')
         );
         if ($requests['count'] >= self::ALLOWED_RESETS_PER_24H) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable('wcf.user.lostPassword.error.flood'));
+            throw new NamedUserException(HtmlString::fromSafeHtml(
+                WCF::getLanguage()->getDynamicVariable('wcf.user.lostPassword.error.flood')
+            ));
         }
 
         parent::validate();
@@ -152,10 +155,10 @@ public function save()
 
         // check whether a lost password request was sent in the last 24 hours
         if ($this->user->lastLostPasswordRequestTime && TIME_NOW - 86400 < $this->user->lastLostPasswordRequestTime) {
-            throw new NamedUserException(WCF::getLanguage()->getDynamicVariable(
+            throw new NamedUserException(HtmlString::fromSafeHtml(WCF::getLanguage()->getDynamicVariable(
                 'wcf.user.lostPassword.error.tooManyRequests',
                 ['hours' => \ceil(($this->user->lastLostPasswordRequestTime - (TIME_NOW - 86400)) / 3600)]
-            ));
+            )));
         }
 
         // generate a new lost password key