Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F182244
T103391.patch
csteipp (Chris Steipp)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
csteipp
Jun 22 2015, 8:05 PM
2015-06-22 20:05:51 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T103391.patch
View Options
From 71a96739a9fd89cfbd77093132a7e8d564482733 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Mon, 22 Jun 2015 13:04:14 -0700
Subject: [PATCH] SECURITY: Fix multiple xss
Bug: T103391
---
includes/SF_PageSection.php | 8 +++-----
specials/SF_FormEdit.php | 10 +++++++++-
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/includes/SF_PageSection.php b/includes/SF_PageSection.php
index 0e02e72..c610c17 100644
--- a/includes/SF_PageSection.php
+++ b/includes/SF_PageSection.php
@@ -60,12 +60,10 @@ class SFPageSection {
$section_level = $this->mSectionLevel;
$section_str = wfMessage( 'sf_createform_pagesection' )->text() . " '" . $section_name . "'";
- $text = <<<END
- <input type="hidden" name="section_$section_count" value="$section_name">
- <div class="sectionForm">
- <h2>$section_str</h2>
+ $text = Html::hidden( "section_$section_count", $section_name );
+ $text .= '<div class="sectionForm">';
+ $text .= Html::element( 'h2', array(), $section_str );
-END;
foreach ( $wgRequest->getValues() as $key => $value ) {
if ( ( $pos = strpos( $key, '_section_'.$section_count ) ) != false ) {
$paramName = substr( $key, 0, $pos );
diff --git a/specials/SF_FormEdit.php b/specials/SF_FormEdit.php
index d387f3b..5c5a9e0 100644
--- a/specials/SF_FormEdit.php
+++ b/specials/SF_FormEdit.php
@@ -52,7 +52,15 @@ class SFFormEdit extends UnlistedSpecialPage {
if ( $i++ > 0 ) {
$text .= ', ';
}
- $text .= "<a href=\"$fe_url/$alt_form/$target_name\">" . str_replace( '_', ' ', $alt_form ) . '</a>';
+ $text .= Html::element(
+ 'a',
+ array(
+ 'href' => $fe_url . '/'
+ . rawurlencode( $alt_form ) . '/'
+ . rawurlencode( $target_name )
+ ),
+ str_replace( '_', ' ', $alt_form )
+ );
}
return $text;
}
--
1.8.4.5
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
175166
Default Alt Text
T103391.patch (1 KB)
Attached To
Mode
T103391: Reflected XSS vulnerabilities in Semantic Forms
Attached
Detach File
Event Timeline
Log In to Comment