In SpecialConstraintReport::buildResultHeader(), $entityId->getSerialization() needs to be escaped before adding to html
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Lydia_Pintscher | T99354 Review and deploy Wikibase-Quality-Constraints on wikidata.org | |||
Resolved | • csteipp | T99355 Security review of Wikibase-Quality-Constraints - v1 branch | |||
Resolved | dominic.sauer | T101308 Ex:WikidataQualityConstraints - EntityId::getSerialization() is not guaranteed to be safe for HTML |
Event Timeline
Comment Actions
Change 216405 had a related patch set uploaded (by Soeren.oldag):
Serialization of entity ids is now escaped correctly.
Comment Actions
Change 216405 merged by Jonaskeutel:
Serialization of entity ids is now escaped correctly.