Page MenuHomePhabricator
Files F16575

1.patch
MaxSem (Max Semenik)
Actions

Authored By
MaxSem
Nov 26 2014, 10:18 PM
Size
1 KB
Referenced Files
None
Subscribers
None

1.patch
View Options

diff --git a/resources/ext.popups.renderer.article.js b/resources/ext.popups.renderer.article.js
index 972fa6a..698c588 100644
--- a/resources/ext.popups.renderer.article.js
+++ b/resources/ext.popups.renderer.article.js
@@ -147,6 +147,8 @@
* @return {String}
*/
article.getProcessedHtml = function ( extract, title ) {
+ extract = mw.html.escape( extract );
+ title = mw.html.escape( title );
title = title.replace( /([.?*+^$[\]\\(){}|-])/g, '\\$1' ); // Escape RegExp elements
var regExp = new RegExp( '(^|\\s)(' + title + ')(\\s|$)', 'ig' );
// Make title bold in the extract text
diff --git a/tests/qunit/ext.popups.renderer.article.test.js b/tests/qunit/ext.popups.renderer.article.test.js
index 1ebd7e1..f6fdf31 100644
--- a/tests/qunit/ext.popups.renderer.article.test.js
+++ b/tests/qunit/ext.popups.renderer.article.test.js
@@ -2,7 +2,7 @@
QUnit.module( 'ext.popups' );
QUnit.test( 'render.article.getProcessedHtml', function ( assert ) {
- QUnit.expect( 6 );
+ QUnit.expect( 7 );
function test ( extract, title, expected ) {
assert.equal(
@@ -41,6 +41,10 @@
'<b>Brackets</b> ) are funny ( when not used properly'
);
+ test(
+ 'Epic XSS <script>alert("XSS")</script> is epic', 'Epic XSS',
+ '<b>Epic XSS</b> &lt;script&gt;alert&lt;/script&gt; is epic'
+ );
} );
} ) ( jQuery, mediaWiki );

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15921
Default Alt Text
1.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits