Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F32249763
T262213.patch
nray (Nick Ray)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
•
nray
Sep 7 2020, 10:03 PM
2020-09-07 22:03:21 (UTC+0)
Size
8 KB
Referenced Files
None
Subscribers
None
T262213.patch
View Options
From 099756f2aad2ecdd21e2cbda4b014ad483820fcd Mon Sep 17 00:00:00 2001
From: Nicholas Ray <nray@wikimedia.org>
Date: Mon, 7 Sep 2020 15:45:28 -0600
Subject: [PATCH] Remove regex section line replacement from PageGateway
This line seems to be doing more harm than good as it can convert inert,
escaped HTML into HTML that is vulnerable to XSS. If this HTML gets
sent to jQuery's `parseHTML` method, image callbacks can fire even
without the element being appended to the DOM.
Apparently, it was added back in 2014 in commit
78f85803f64ae3ecedbecb38473ee70606fca5c9, however its continued use is
questionable at best and it has no obvious usages.
Bug: T262213
Change-Id: I42e079bc875d17b336ab015f3678eaedc26e10ea
---
resources/dist/mobile.common.js | Bin 49899 -> 49837 bytes
resources/dist/mobile.common.js.map.json | Bin 214540 -> 214353 bytes
src/mobile.startup/PageGateway.js | 3 ---
3 files changed, 3 deletions(-)
diff --git a/resources/dist/mobile.common.js b/resources/dist/mobile.common.js
index ab13bd4d41c6253b54b03932f83428d04eb16a65..e99aa7f2fefc638474ca91cf8db65ddf8a8e1eff 100644
GIT binary patch
delta 14
VcmaFe%DlFfdBX+!&3q1bn*cNB2FL&a
delta 77
zcmZ46%KW;OdBX*JyR!Vu6a@oCTiaB<oXosbH8l+g1IpJcN-fAqOitC%w~5iWPmD>5
Xj<bu^veQr3QBu;>)Y*K&{%#WhC!-pS
diff --git a/resources/dist/mobile.common.js.map.json b/resources/dist/mobile.common.js.map.json
index 09b6be47445dc1ae8adcb46049b8e5d2d311fe4c..6a0180edf0dbf840164d254253c0553c9b0b624a 100644
GIT binary patch
delta 3734
zcmaJ^ZETxY6_%UA9FViot}X5Qv3{(hikaiDI95m3`(8Va{pR)SkJyg0wwc>Hj=#SX
z=UrJrYBw=epzdnp2kVc4)D@(5X<twQO>48IE8-VOt27A^0wnk`Y3dLDApz%{>!hWc
z`1ShUd+s^UdCtc@zHq_z``2yDm$#W$w|!>WSSi->=9}Ap{K8`ep0?}ED~@EhZVxf;
zRhT`<SiG*-vy7dxhgqnhB*gXXH}}SICp#aq#~JS_i{mJlm7DeuW1)!nPj=?4J5W;W
zNyd^*1qBKUU;BXe9tVXiynsjCrQpJ;v`H{u2>}jXQ_3N{knc>|RmQaLBtmE@bcLn*
zvV>9IU`a3@^m1bYt)|4MGdr@LD5}t6c8xI|?sH#2dqimnm68hur9}YxF6TmUp%`fK
zaXUx&Q+QFjnQI93#hqvKfRn|03Vgx~+z5a`GC?kvNnwryBHmJZG4w!PjG>zvLJrNK
zFmM>Nr{Dty;tNVSX3wJ`)R38vzzLAxBoed{1d}^mjM(b{rpZxeFjI=47QHO)znK1p
zJBD!dx=M6O1X&gJXIdnmB*kq}JNCTSkEHU`MU8|fP>mV}mcldiJKhL@y+C9bW5!bm
zna>#F&&PHTjS@#B984JEtH+<VxP<-qc56-QY76c7_AL&Hte_$TH5u%Nco~Gt;_c(E
zvn>_$Co$oosuYTJC_hvWM>mr8t^)YHa&MH|iwa{^C59pHDUXPrV!?zX{t(AuUlgfU
z7d4P)`WVOfYvewK#4EHD-^zJ|<aRUI=d{n}k_rHV&VW6`AoNJ7KS6?H<FLgtb<Lh*
zc>~gU5il*ua5*UX`i>T4s?3YePCR2-5?`C$ddN+V#Qi#<G!!Tu7OzgB`Z!WF&!s?3
z#Af$d0XGChGlVgFa6h2O{HKJ`T8N0xK$751fR1t%@zHG5(M|LL0Tu|PGeEhob2OEz
zC+s2naFlm+C`zaU-W5k*`uX5ug7UAI5IMeCJdyKQX(yaE%*ov68#Vz@Vh*S{iHwFl
z=H%&vmLYe5FaaM>JRb8q`2~y3qoXWVSv)Z!1_~3K+uHi=hD?FBI8oR)<f3}Oct9WM
zi0>CJ4Em%(N8H>$|K!H6dlIN$@5Io*cpK$;L-8hrUO9(#((g#Tq<D#{xCev6@)Y%s
zY&#V0Ad*`O82vm7Q0HohE!ECoooY{OCCxXguWqoqWaW;SPd98|8hQx&yizp}cjq_Q
zoH7t-=+vlKUQDg;0GwRc+|=8%aTByBj27C-1Gm9+OYk$Zw(^vu0!zCp-aB*u@exW`
zjS{=86wPbjK4^JF;a^_4_+=Y7Pf4P()ajNudw%P7PeksZE~>8z_0MokTs!X=Y(~*#
zx8fFmKcBRE<n4~hUS$JE3IRN8DTYjFXzkD)QccW2NW%;Z0(CkIFt02o=xiACI_5Uh
zYUb_lz5JN9O?OXq1iyIB=AazQk(gnAa`9gSw(7VfKxM(0A^!MgeD@OZrY}$@)4L%&
zR~Mt?L}yN{h%Mr!xAq+99}I^vVUzX()W4y~3|PD5H-GY$&te7Ykdm_b*B}0AVCNVC
zN<#Y~zX?nEBqfeR{NYDOH#Fkn;-wv?@9lpK9)bD+sW}oFjiXSik%kXH*~AZv`)O0{
z1%MiUvYW!qEHoGRsKese<!5)dW!o@Rz!_}t5oxL<DJ_b3E?0f?a#4cL0xhDg6y=rn
zxV;SPd}$ig1)Y4UNVOPQvnhh_9tsqx(A9DRn@z4FHNgrag=Ns<lL#i`lbF^{z$>TH
zm-dMp@8+Ea9pyB5TX;ojg)oNUCdEL7ZU9|ms*=Vu&5cQmO)+t0pVdVXRSnU)vT9qJ
ze2}$WlmGOSfnAO%Byiyi-ZVbl6P~M0x1S^+lQ4Ix^qeH;rzz-5(0tGjLqq#+rA4Q@
zOMH6Od$dh{sl^nEWWh?Xq?Cw%d@GpNl&a{ohQFa{(lgsX7TUF)A%KUG`kxC}C!j9m
z?AuezXad}q%3*~a65X2XZ&k(ewP9-m_p*tm`L}CZE!G8+))$3kxf7{J5MQ7m>2!}H
zP4Oy8Bx@;H1?OCtX}QFRPW^(KkyEOm6m&>_I^x#y9*0jN31UV~xoDAE-viZJm->AY
z+~R(vE^OD8H9Rhnx$a^;w8`R2bTw$Cus)K=1ik5QrH!s+5(Z9IQ0d4>MTafO3<}e*
z`0aJa;Zho+6l^GkG#mw(d~v*G>S+DxW$k5k%S{&q6w);77oHo=V}Kk>w>CpDD9@1R
z>rTU?TH)Aa#yhecs#)sB?kT#}!Jeafl_X`#A}EI3%)%k$ZL*LSD>n`wg;khk45gSx
z7gFR0fCfJrM37#HkS<^LVI?`Z1`lF`yT$Y7xYZFxc)Cx#Zte=T(#UCq#z=i>g07uJ
zE_E+f3=CjUXMiA7t;#32Lv2EBX=JELuaDX?KR16pu>ORI<(p&c3-kWXUs@ilmVb3(
z<K{~CK^#;>qYaC_ADr3K!F@hg&JsfRJeuUOF`T71D`ds{A583OVQE0Ef6-9c6nk$S
z8iMwMgRo@8DW-1)EH!cI);5bz{Nh%@D#y^UPaL?t-|3XoBHD?zrzI+=jRZ{%$q14Y
z^=FU}IX+cI?{>6ULkp0Jlsg6$q28j2l2mA8)SGng1SkwgD-jtD8h_UkXq1>cMcs+l
z`!DOGC>p}CvhA@dS?h>bZtoC<mFKKIY@d+q;?l}9n|nB|u{Z-jDvnbV+LE}pa$wEN
zqOg2;c>e<No$L~?VOXI*57ktM8|LhXie<1I1*qJ?o8o65#YUZIXq-77axfGduF(KY
zuT7LXIsNgdD>%$n6gDhIRu5a<5@SQOR}WfYc!v~<_ryD^d#v!xVZhzuH>=NCi}FpJ
z7yn+}znS93lA#A|FA2|`IT_CojAG!ZIwG#z;e#Lw<Fmob;-7b(^+P*HLe?mVuo1GZ
zx27Mca?w_(G=q_I%E*<)<9DBWqA-bDZUr7A(4rT`*^i&v;+(;lVa$UI9A?}Q40U7T
zy^mkm`~Q`4fCNgvB9$&EBje(`Z#*d`?)rz;R6>s{!OZxByT5z?wR`6*H}9R>;9L1G
D{%K%*
delta 3817
zcmaJ^ZETa*6_yh=oK6W70YYdgflxjcgY6_v;sq%8y>=Yu&Fj~%9Vc-JFq1g`j=$~1
z(6XtpX;Y=OyJ|bF-Ipd&rmlRs66?mGjFe59CUw&Ot=qI;`!NZo{n&nVLObVNn~$oR
z_z~axp7WgNoO{0b!?)UBe!2b1g|2n!#B#L$ldgNF`ggm3`26||pSI}CDvpG=95)#E
zRdkD&v7}PgEpEn)tO8&8Tuy18RL1ltPU@V+U@T}!D2$~Pi^|+9t^i5r6-$`01;F#<
zlqr!3AJ`ehn{d(tDttw$j-gywURpeic_zg#!*fqLT}j0f1kj?`F}H1e1&#B51&P^}
zGEs>xdyv?&lJOu$v@!{nnO2=dYXyZ=Sg0Y(NMu=jZSKI?As-&JfJFmGK$s7^$kWFV
zJcvNlVoFImE?tRuKq2cY@G%Q#ET&8&l%yXiDBu9E@i5&LCK2CAP2wr0#4w7?s412y
zop~#~=7RfRfPBo5r3gp$f>QINAL^<foz;-IXAXrSXnsow{(xnpqGbG*C;}tGOj3OH
z*yb&%2}>4O<vHD@Cs0Yxh<A=n?{oOkyq;AlM$%wdMYx#~i3driEcVYIGFvf{d@&_5
z^IJC;T)@LM5km?*gmn0vU3_o;*^UtkjOqnH-2uC}JKy6UoS;k~y6{0~p14BM4(2qn
zT-HF^Gc^vF3jw{EG3Y{ECAtX}qp-};d2c}s9q%z^#LV&jvn3U-f|#j3RSHd1II5^a
z9DNH~$_kJkmUknZurrDu;M^<9r$iTkaXj!?oV`vTT2!kV$TPi<<Kt-*6M7bhFrPRa
z8FrJwqPr32Mu=@H5OCXFmKg?lfpNA{`l};jaK&cwnkB-bHHBNMP$8@G$>LMUtl?;4
z3W38(apA;sM{Q&!)Sv*EOB4(Td1g3uq78`zHD_d}(4K)Yi*qTE6JI#F%e<-~qGlJ4
zlY4r-6nh(e*Gfo{&ovSfd_lQo@#0CJwHjzJ1acbl+FkT^I!9BXe8A$d^!a#Ahth<q
z;YIPu$@kh;1C*4tfQax;@w=}Kn(4+nZLhD7+-ungbx5HEKTeS!{q^;WdrTb=E-Y6F
z5R_VfeKcAzwGZhii#2HkR>jSw@lMJYlHxg;6M4}c+qGekiUc2sukean?2K&_i?Mv0
zL!!n5^}ob6t=pO+G2KDIFa|LPc}_|D#Z&2XJE4La&50+KVJR|%PsO50RIP~1>2C9g
ziyBrze3UM=*)()k8}Qe)%-37YgR*{C>wn6&f3D*(u5l$*|92_g(q7}zO8{LM6sc<H
z;SHFM6zjjQ?pU`GIt+yZuA+eNo-T<8r%$$L@DUnGm=eh||J=}TNI}_XWA(%fdrY4K
zeCx$mKfk+7)sDiU#nJ>-Ik**^^<z4Q;pfcUkTA}7nQ|g=-r835Vg3v#4)NpjLGzGQ
zuGIf~p0yrHxbRy+vCE8xVE_RL6*1!=?Pi!8$m`6-hKZUAuZ@M958`(%S3mvD)9cM;
z(p{*C2d|uKheCsdi;$ST{_R&kX>HGrNw;8d`0e72*NiQYst^%<g*v-l_25Y@iwCbA
z+TA#ec&XD^Vo>xorQ}D@rl7Tc;`L#Z8KQ-?k*I(FjX$?O(?=w*50S5AKXnS#45xVg
z&7&;^L;UEiZS{Y>`S-RXxiOTIbvJ0BP$-A3o}bE7$2Y)TxKyEwhv2dt!c*8OFGobz
zg}u*~Wv{TSz|)=MHfai)4(i3k{DsU`tCUYeJAuAXR8mqUFaCC+%iOf^owxV9QnH~Y
z0{DKBq{M&|J_Uq^7dTCs8HWUHegPNkN<-QyGH*xi2^w@7Oc0({N*;V9Z;^tmW&+q2
zrqa`x?vXxeF)Lax?lKS3lc{!b;Nn`ljpmwcjm7$di+^n0?!;EcE1xmB_-sww|5?6c
zm?R)oFga3U`Q7d2+&D%;w+ZpC<7k=qtFaKe6b3YRQi)SgvFkG}OTt0=n#SMI?PzE=
zJ`3}uXFNayWBY^xP8NXk*cE9{O`r)rm6YIc!q$fLml{_ok-F4pUdFp{AY1>zr7b3N
ziKO+ixN*5Ok)J?*u0CnsK88hVq(~x|4#CO2WW)4{1Z+B#8f-sEq9!3IudFf-6;Zpg
zW3xjtabucH+2{~*h)Y+xVeb9*iqf=g6C1DgvkKxfqe^1#l@KO)5WU7B>>W_@NP8ww
z!_5fFlU4&AuHdyP^dsW@RqJSc8j{AHQ~FTa#ptOu2W@W6y`wn~2dFiv{m}BUbqtI9
zSM4U7*m-S}=b=Y1`_dd+!B|Bma3)MG(>_HdTEWhsI+P$4aTSmt!NTwnk}ud75@)WB
z9)*(^Vx+{Tk#mTM14|$dizc|D_sMb}4nGbO0X1+t#~tE7*T&kMUdkw^Ax!UW^Oh8-
zSQt|iwEF4Qand}6@zVz|^I>y@f&~(uOoogY1*&beq!I5TO$4=6|7raftq)thNL?R!
zc&NW~{pY4fr_}o=)^#Ssk77?NjW!}a{?(Zs1-$1=3EB?zfjFAv{ytpNIP04g)tlqn
zbC~*2v!AsBX2r)h_jkl+LBj2jK^YL8w_M%nS@4XP6c4(F^As`;L*^8@TQRd-BfU=X
z*IT{qHM#zwWnW%w_@JwOct&brrliEc2fnia2OOL-Um&}&NMV-+6SD}b^-+(}hsWXM
z^}z;&t+{DME>SQ<L2H4!42Nx$h8x)=2m>oHuq=NwL>_N&2No?rqvf{GT$x1-qbg=^
zKi65o1&bLBn5nq%jB8c#%I)1v=VIc<?a|&61wL4$0DIwt;ehoYG=rE3C2p^8`?X?f
z%lOcym1jltj=!yjhQ?UjBW~X5-URUlvpBu7u-oe_t*{aCk2|AgyW~?42iNwP`>Asp
zH8H=o!wdrnR5XWpY3-mnB_~!=yua4lNsq;XkDQySiu-Fz@)13-!2vaORV;kS+dvey
z+Zs=Z%OCD_!m5SNH{G3Jt7Kiz%|3c98(n$gbNF0#`CJLH;qKF4Oibd{fRdp7T#tz_
z-+g*>ZB9Nzkhv=yR!|SDSVJOt_xYXwACv<n0Bw_?6=hZ2yX)&{qCw9}!tyrpn~!ds
zO)T~7>nTPTN{Q_9LHsXf&(6b#d&<j;(Iq%6_U!LDJ-<9(!hcUl9ezUTU?G}IM;4;{
ydaQ@$=dI62=I2ixJ8|UrmyTFtmY%(Pd-jh?lo#ZmCRFhoz2{8Vd(X8Ty!}5m;DNOO
diff --git a/src/mobile.startup/PageGateway.js b/src/mobile.startup/PageGateway.js
index 091cb6b3b..dd2e0758d 100644
--- a/src/mobile.startup/PageGateway.js
+++ b/src/mobile.startup/PageGateway.js
@@ -52,9 +52,6 @@ function transformSections( sections ) {
// if the first section level is not equal to collapseLevel, this first
// section will not have a parent and will be appended to the result.
sections.forEach( function ( section ) {
- if ( section.line !== undefined ) {
- section.line = section.line.replace( /<\/?a\b[^>]*>/g, '' );
- }
section.subsections = [];
if (
--
2.20.1
File Metadata
Details
Attached
Mime Type
text/plain
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8532259
Default Alt Text
T262213.patch (8 KB)
Attached To
Mode
T262213: XSS on Pages viewed on Mobile (CVE-2020-26120)
Attached
Detach File
Event Timeline
Log In to Comment