Google Code-in

See https://phabricator.wikimedia.org/T114274 for the full description.

This task consists of several parts:

In views/NoPublic.php, views/NotFound.php, getTitle()'s comment says it returns HTML, you return a messages ->text(), which may not be safe. Should return escaped(), or if the title is always output with further escaping, document it.

views/Image.php - make sure the thumbnail url doesn't contain \, ', or ) before concatting it into the css.

views/Collection.php: line 100, revalidate id is an int before using it in the href