Page MenuHomePhabricator
Files F2880203

0001-Make-jqueryMsg-parser-sanitize-urls-and-style.patch
Bawolff (Brian Wolff)
Actions

Authored By
Bawolff
Oct 27 2015, 8:38 AM
Size
3 KB
Referenced Files
None
Subscribers
None

0001-Make-jqueryMsg-parser-sanitize-urls-and-style.patch
View Options

From 4e28c50b934a7f9fdc18e78b27104a98d75365a4 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 27 Oct 2015 01:39:34 -0600
Subject: [PATCH] Make jqueryMsg parser sanitize urls and style
Previously you could leverage the style attribute, and external
links to execute javascript.
Change-Id: I6f15ece1db136369e06dfeee34d1a0c5bc03e32b
---
resources/src/mediawiki/mediawiki.jqueryMsg.js | 21 ++++++++++++++++++--
.../mediawiki/mediawiki.jqueryMsg.test.js | 23 ++++++++++++++++++++++
2 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/resources/src/mediawiki/mediawiki.jqueryMsg.js b/resources/src/mediawiki/mediawiki.jqueryMsg.js
index de63a18..0fc994d 100644
--- a/resources/src/mediawiki/mediawiki.jqueryMsg.js
+++ b/resources/src/mediawiki/mediawiki.jqueryMsg.js
@@ -699,6 +699,12 @@
attributeName = attributes[ i ];
if ( $.inArray( attributeName, settings.allowedHtmlCommonAttributes ) === -1 &&
$.inArray( attributeName, settings.allowedHtmlAttributesByElement[ startTagName ] || [] ) === -1 ) {
+ return false;
+ }
+ if ( attributeName === 'style' && attributes[ i + 1 ].search(
+ /[\000-\010\013\016-\037\177]|expression|filter\s*:|accelerator\s*:|-o-link\s*:|-o-link-source\s*:|-o-replace\s*:|url\s*\(|image\s*\(|image-set\s*\(/i
+ ) !== -1 ) {
+ mw.log( "HTML tag removed from message due to dangerous style attribute" );
return false;
}
}
@@ -1104,7 +1110,8 @@
extlink: function ( nodes ) {
var $el,
arg = nodes[ 0 ],
- contents = nodes[ 1 ];
+ contents = nodes[ 1 ],
+ target;
if ( arg instanceof jQuery && !arg.hasClass( 'mediaWiki_htmlEmitter' ) ) {
$el = arg;
} else {
@@ -1116,7 +1123,17 @@
} )
.click( arg );
} else {
- $el.attr( 'href', textify( arg ) );
+ target = textify( arg );
+ if ( target.search( new RegExp( '^(' + mw.config.get( 'wgUrlProtocols' ) + ')' ) ) !== -1 ) {
+ $el.attr( 'href', target );
+ } else {
+ // What is proper thing to do here
+ mw.log( "External link in message had illegal target " + target );
+ return appendWithoutParsing(
+ $( '<span>' ),
+ '[' + target + ' ' + textify( contents ) + ']'
+ );
+ }
}
}
return appendWithoutParsing( $el, contents );
diff --git a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
index 4f273bc..6581c8c 100644
--- a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
+++ b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
@@ -1077,5 +1077,28 @@
assert.equal( logSpy.callCount, 2, 'mw.log.warn calls' );
} );
+ QUnit.test( 'Do not allow js urls', 3, function ( assert ) {
+ mw.messages.set( 'illegal-url', '[javascript:alert(1) foo]' );
+
+ this.suppressWarnings();
+
+ assert.equal(
+ formatParse( 'illegal-url' ),
+ '<span>[javascript:alert(1) foo]</span>',
+ 'illegal-url: \'parse\' format'
+ );
+ } );
+ QUnit.test( 'Do not allow arbitrary style', 3, function ( assert ) {
+ mw.messages.set( 'illegal-style', '<span style="background-image:url( http://example.com )">bar</span>' );
+
+ this.suppressWarnings();
+
+ assert.equal(
+ formatParse( 'illegal-url' ),
+ '&lt;span style="background-image:url( http://example.com )"&gt;bar&lt;/span&gt;',
+ 'illegal-style: \'parse\' format'
+ );
+ } );
+
}( mediaWiki, jQuery ) );
--
2.0.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2891830
Default Alt Text
0001-Make-jqueryMsg-parser-sanitize-urls-and-style.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits