Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F32249810
T262213.patch
nray (Nick Ray)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
•
nray
Sep 7 2020, 11:13 PM
2020-09-07 23:13:03 (UTC+0)
Size
8 KB
Referenced Files
None
Subscribers
None
T262213.patch
View Options
From ae1326e2df02f5112324bb882b2240b251b3c008 Mon Sep 17 00:00:00 2001
From: Nicholas Ray <nray@wikimedia.org>
Date: Mon, 7 Sep 2020 17:09:53 -0600
Subject: [PATCH] Remove regex section line replacement from PageGateway
This line seems to be doing more harm than good as it can convert inert,
escaped HTML into HTML that is vulnerable to XSS. If this HTML gets
sent to jQuery's `parseHTML` method, image callbacks can fire even
without the element being appended to the DOM.
Apparently, it was added back in 2014 in commit
78f85803f64ae3ecedbecb38473ee70606fca5c9, however its continued use is
questionable at best and it has no obvious usages.
Bug: T262213
Change-Id: Ibbe572b00d3baf70a77b682bd7e4361e0d72379d
---
resources/dist/mobile.common.js | Bin 49873 -> 49811 bytes
resources/dist/mobile.common.js.map.json | Bin 214251 -> 214064 bytes
src/mobile.startup/PageGateway.js | 3 ---
3 files changed, 3 deletions(-)
diff --git a/resources/dist/mobile.common.js b/resources/dist/mobile.common.js
index 3895ca5ea53751a206e636ace1c08d1804ac9330..9f33d3101dae9186e99cbe5a41ebed6d5635cc8f 100644
GIT binary patch
delta 14
WcmccE$~?K1dBZmQ&0p;AHUR)MI|p9?
delta 77
zcmbQ-%6zevdBZk)yR!Vu6a@oCTiaB<oXosbH8l+g1IpJcN-fAqOitC%w~5iWPmD>5
Xj<bu^veQr3QBu;>)Y-hv{%#Wh5Xl-O
diff --git a/resources/dist/mobile.common.js.map.json b/resources/dist/mobile.common.js.map.json
index 86d813db59ed4eab04242bfc03e0cf8995282a51..71132794a07088a670ac3adf121e2c93de8a6747 100644
GIT binary patch
delta 3885
zcmai1Ta1&}5tbJy-bxE?mK2Df5Uxe**0=R~SI~rWj=jG8`}_B0ZDR-6n8oY6*SFpE
zy0kP(AdS>kA_vGr`_P9LQmIhjM<Pk10PPZ__MuY6LtiRYt)f0eYMYlzRbM(Y$GcF9
z+L!(JoHJ+Uo0)HBjz4{C=*D-3Zd}=FUfcSqWqq|&&zqOFpMQC*AW}Aic{p<jo1d{n
z&X$0`_$TeR1(<*n+>gz3TZXY&TZjc3JT5O~zWQPecQTzxTa1Y=ANQkNMs31P76{8f
zXR>GAzA`7BO^yNuPImAE+PeZ2vd|(P2^YtOlebAQ-<<?tqRy8l@m{_&Wz!hb7p4$G
zi_;aB?8_2HbpyZ$nBODnA+(y5A7)?3j7Cs}9<}L=8E{{Cefm>M1E`cN6?lsP^j*#c
z;6lmQ5|cK8@Tc*jax>SE_E&bC%>zyr>vH&n7Ddko0*N@eTp@)ya<#>~QS?AtilUo3
zLJnk6m}QDlTM|BCAhyUWQCl7jQ4We>IDsHI11P9F5KQiLDQueuFin9ngXwY@4~>d^
z^h)Y0?kK`B<~0hJLXgo=f4W8TD!FYLKYk=Pfk73gOF9V$QH>UYD21~0f2`pHd%o}p
z=1e3JvdH#0BpjlQ+3*H2i*sYa$6I3*JksKi_vGJ>@3y$)7fx)q)|HXAbe`D$yj?*q
zXn4P_SkRC&Cw5yZ^4lj|^_B*P6G+X7ri8*BB91mH(7%Ljfdg=l+8YzL5@)Q&qnP_H
ze@b+g`Q!E&0`3Pt<c(ksv?U$nnK3SRpN!-@L}0Dy@5i<u)nyIr`JFynngIncv=ecP
z)A%H8vGlxd%dvb9_`C!VmQ~v9M8dvb1x1;n{O!s8N0-S;QXmy|)H#PpLT+*-HenD-
z72;TJ8tug}L`9(l>T+~u&miDNHrRu5W@i81aY4BtD(Nk%nk>)<uYxluSd~|2BKC!N
zA0nWG6gz!X6^6jvCFkR|fNdlqItG+0RESuR`(C|mU5XPkyYi2(2Gt^z>Y0w*Uk9E8
zkgGnNA|FOg$LRx>O>Q5-0pFmaM$OatMa$5rfwEY7vA9G2WiB|}*4J(~RQlVJ7xrv+
zQIY6CY-kQ0zYG^%kl!mb2fa$GJ!Wn!Zdt!=G>%4$P89u%wegZ@a8F#it8ZWh^?Q{l
za}UKTHi~Itc?7C;R70Wyqb67O_4-8eQBP~ge^xt#^Hi03D`76y&JS2!s-_+0`o_?P
zO;6x2@|wA8p*S$)REa=Cvt#n&QgUqv;N%v}e=O}<{~R<ftQ@qHhuHd4EqU<F%ur=o
z#RD5}P0BNW-|Qg9>cs2{FPU$D^MK_kg%7@U;d4j8d18silBZkPE?626B#uRqo*DQz
zogED;5mZhUSEW`Ps>`>}*$0~uWSE<~<*&~rtfNX@$J~FOt$V59!?PCeDbB+b0R71(
zauSG{W`2mJ!F<f4$_ttxvUwiq&-A+a<F~%C(b}fFvmJTx!W%<&B3+Kedggl<{<UtX
zHmM?_F@Llt?_G-RT&6%8i`4Xtg#eywOA&ISBX3^ZBKhSP_x1NjLaO-`pds|QV#Mm5
z3G>a%UW*k%i6N?(AHVa5bvwohPXhW8xlK?ir-(>)dG`lLEsa}09Qgc8P)TsE%5yA+
z$H_(tKH^jpKP)yun_AZgF%hR0lDL_HJ_8?ZL>|3z@XKx0QhFL7^f!b<87Zq+mgKoB
zHE&TZ%FuP7eYAN=U1?9+DzMI%kAXVBQ!JOLD#NQb<)N#Gd?hM*trEvf=c-B*tT07b
z5G^r<VA5WNY4rrWa`L{kS6;rFcNPqk(_#LIDsKfad7&l+UxU5?Q+T?XLc-?8mBpsC
zy}QTiqEu=<nR<6+XnE=}e;3SyKYg@rr+pd&xcH2@CysUHwrkBz6C?o?LekXaJJ)tv
zTQqnKm;CUW=V+VoYo#Q*lmTu2GA~n{aXc`+Nx}&_t>gdDCu!vNkEQea4g+9dM*iah
z76PaXIJvT?RnP>usg%PCdm_T0>u=SP)KiL8+5BLOym5WAwSniEc+-4%{Yw_>BHc8W
z<R?GxoShFNR$oDd&^?KviGc>dk*FtO<)3pQyK-@dLEVB{kyEK4+Syf1I>ZK}MPoX(
zRH505c4v=4TC$o~;q@cGrd_m1dXwA9VLv5gfd)YWycZLEUVe6iuR?Xn!#7>5i*Q(M
zneO^~Ni38E-lu1Po43(gI^GLV1rg4w0b4*6%G!v$e$#%qoC3c28@!N$BOg<v$OCZy
zd*-^;rVGXl_NNKC?UwU6K*u*lJxj<dSqjQpJYfD-1vZ;W6%VbJp*HQFrdu8CJ(`Ep
zlSEqr#X!{z90H9Kg_Qist;0uQ6=LZgFQw3hB>4fL!H)(7$S8zKmp7vzD<wI&29vTO
z+;X=$IcN_dJi{B4U+fIauixGn>hM+yLmQ?CsIeTR+ov$3h6n2io^DWm03=YWsgc~F
z=ApH8ve%^Pq_xc7nIEiM8!__Yo$<AW`RLAjmdC4$@1I;hT+KXAhlZf^5xL=`GrKyt
zFXk#40_rZJNf8~#$ChA)jQr6@!JREEB<KLodX6^bhP#J0LDRt}v<i$<9=YqY)a7e;
zw+?vY^0Q0B^4i^mRlQ<EUTM9z*XdM`O*9s1BQs$(Ksm+fX^{wHgd!7Z;v+@ACXe5X
zoUNl7U?uUWM|In0I;qgdscjk6ASet)JmF`MX^g@*ON~p+_s8$kC>jb8gZm;FSVJ)Y
zb9Ur@#M;Fc3l$(=yT5<9i?2NvV}MM<*H=(qmha!+x9V<5escft-bIRjVu7L@f)%7&
zf1=PjqGyU<a?4;Pf;R1<DZl@#=$I1?O)~ovo(7^Lb*gEaMG@-u^aEy|<J-5&*@)b-
za@gut7#lLZa=;2d0)SAlt~|H0%L+pf)9;o)Tlt!`qy}bD{%K|JFlCV?9y^>~mfIf8
zsq6;e^#+b=4*A^&Vh}{(wcQgH`TGY4&qB+`fUJff%p7FhXdPRNUD`!kfpQj8=u|0$
zvc-GFJbpB<PI-0F@YV}cDCp)e#^BH>QRs9J{3fKw5VZH%QS}2+f8Lo@n+fJ$6!4%9
yz@u?o%8y_6|8E3B{C@<C+#$C<jBHx90e!O!kJR?V-~8gu+pk;h+<tw)d;j0cl!BlD
delta 3956
zcmaJ^du*Fm6<5--Ig`>s)5qHNk+$n2*oy5WPGa?WziY>}zkdGw*>Mu5ZdxaG{C>pG
z#NAe)>tIM|jH?0CG%<nb2HLuGp40)NZD?2im;^$V_ydGM6H@<ZRrm}3m>8UMuHBa=
zR4HHYz2~0uJHPX~UjA11omaY-FKk?$P37awpKQF>(fr}2bBE97_=H7gR)yKP#m!hK
zW(mPx{4?pc7>xUCy2Z;_TB+)IZWI&{=hH={y;2#|A6co>a1T_Z6vi@&MP=?qSCFI^
z6ibA$Ind`RD&z2Rb1@Oww<Cnxk=hvATU18fC>)WS77t^dW8z1V>9bB(S|M;{vYk)}
zFn&C6jU!6$A|CMp1s8UuN`mpm7(&h~OJk@wUONVum{vcAI7$j#Vd0i6BN4g*E_j&R
z!Si0U8WxMwn<K-1JlBF24ZMc?e8fexJfzfvO36|}sYsTj-!TtdD7Z>|%)%K<C=;kk
zx*02pJJVavCXicZH1OlC@rDZ|LP7F5M;c?~Ye{JY&;@lVfPQL-*)xs8ERqgb!tenL
zMoq~DEOE3%(M<c`1X!?pP*AfWn%L=#&r$$13mjygVv|`P9_l&q>hXzvjsU{Z3o7v?
z5kyqfKUqQfR+>~rcl3bCimdX}8DT`9SzmI2a+fcGn0OfR@oBqwF}iKdC^4dXfk1cA
zE`A>E?HCfDL^qj=8d<4|yU|VSlPbYTsTkV43~fnlKGEBe6Z=mLoUN#!KZJ?vSEZ1z
zM%kbabHp67R22X-BKJl)<zh|=U_cj@$3*7<Niz5lp<bsSc~$Eg$TQu{G1?lDNc=m*
z-4h2#M<`9zvb#lKi#nSM0Ni$$Ws*Ulkv}UXzdAYwTWoSc#Aep5PmUv$mS?GP^fr<f
z-=5jsVH3+U8~PlC+;Hjy3lah<$|#JZJ_9*Paw$+0|Crg?wWOf}E$J1TPww93B_d@x
zYZc1<=~iX|SQN~Q*^_>2J!q*zi7qJsMq^&Pi*j4%Xe+!Bw0JCLKX2$zbdcw~EdF}(
z!>*+urB@>;V!TJZe`?4?JKhO<^UkSzook_(h%0b@7CH0|H1Evq=~x4NV9fyoP#goz
z?eSVi_ppw#SVcx~N&I;JXirtUf4eAyz99ZHzw_xKN_UI^)OpP<{xIJoSYoluA+;uh
z&EF)}t$rp$V!DIaForOpcu~m)#J$W*SPQM*!_&%$6dBemF=z-B?3(N?6lFJ3oOU%@
z>EojIR1zO%D_u4X3D5=uO?&R;PScRA&ZXwnLid-}JcK`~WSW1fBs;r733(2N=7xk`
z58vMbII(i`QhodCwa_O>2)5#&-#t+gpPo6{ox{MiGA|?i&;Rr30YeJP-kNA?FYM`f
zOySpFeC>(uDwQq@hfi0;w(}b{4f|yBU}LAU%2Jc`7KL`++Ew<W%Y%wToIf8j4a?iL
z=HJe<Rfke8JS!=7na3~yfPrus^AM78lDPrB&RlGSu&Iy&82AP3o=ht?Prh>INmG^X
z&eg=H-+ieY$_uhEMq>76`L)khbr;5@Uob2Jc5&u)V;kfzP@*qVx6<n#T&Yz*IZ>Gx
zr^I^k-`BT4*E$&W%9)dZvTrDr02*jtvNo0Pk93%TI;@^l^XotO%c?DA0u+L-Lw*yM
z%q(6roTBl@k<OAKY;SIE{_&05U5AQeC^b()Lk0?ki`c#S>;g4$16+qq6&g0Q*x70r
zR}rV&92KAabnmvR>=t$vaJq}!CQU)x!FvgD<U(%5D&@1#P@pW!N=9B;7_($x9Zyez
ztlQ3)QdE$>woUQ(3w^E(b$>M##2yn%OSQ1VNC9)a#E+q+Nr$x2J^`=nN=w=)jJM<V
z6pb?t<_FIz6%WSHTc#MOxgZe8$Fmby4l%Q|SP-}0-f0@5h^lt+m3MAzupN7lwPk1{
zIMa(UVf?J8`T08^t=j6u-p6ZSFvR#&L)?0IVQ_>bAgwTwGDi`4C^<zLumtT0ooZ+Z
zW>6{8scsYX_Z&y6<fNJiqeuj-xYJ6Kf`RjbX$7f@PP6!b=%X}OTgT$=ds{pJ4`cGk
z1uPm+=dri!sVOwU$J0_dtgvUITl1~0jL<KdO?ljl1Pje?T-?xMs*to^6>q&?@h$ie
zpUW)m+sBYIBSR9QY#3JVc^jr(ENIiQOU+SdYDg87k5<V~P0TEBw>l&ee6qR6ZL|pA
z-@_&X?;9G7(94}lPQ1IUwDH))zm^AB4Q(=`PFLNFVJQtv;HdTvDhue!WU%4E1B1Y%
zb=ZP5p)ie#)Ftcw<OD>?T~y2{?P8Q8nuA_}?dM8+x(-s$QwJcRkh75yaqE&j3dr&8
zn4hK?WTwgU`%c4P&2sEGV>MYDxd^pp`#9aIVFOYfN{BM04vHaBBX9^w95RQ+sSoxa
zft8m{Hk8B!x)3Hm05tdkZ&>h5H_J{k5_woj46XqSMeY!P{$R}H^ddanDf*gQJ<th&
zQy)DX_4-k|Hj7;9gIGTB;(|s12t2tQSuje}Gt`PkpvyFh)JpR^&0ns%KTm{ydG!9G
z`Re75Iv%X_U(BrTNk<;UfgVfRsJQm)=eL(|pU<Zvgm5s4CV9Y&&pOV`Q{woQqg#tu
z8c_IO^olHqYghW#K(Rq`IwT{5;@?+Xo3dDcyrOu}H5}xSk;s=*j9*Qd<V)1+6xXlr
zvNz;|5iR={rclbjY6;TIBIHB5{3DZ64^~!2Y`o@AfdN3}l-UIJfDD)DQAsK^Gqo-~
ze-spY{SF@y-L@+qY%tH^)*Ll24o_N|sgI+`i{D+__+*BxRm9e7o5d3={iYgrS4e+x
zU}bkt4c~CgU;s$PH`h_EE-EX}wY^M;w^sJ=s!#+%Wn$V3E9B*&DywjN^Yay@qbuh}
z=B&IRyw?N64Ky^yl5(z*gPwpnPtRf+Mt&e4py2o{z;6VdWfe9met&(x$u2RL#M&Es
zOas)LjfOaKW4j5aAY9QLB5|YNl#!~_;>{bodMJ`C)QTFiT^F}*%*zOS=$8f*rto~s
zyFe5k)eW8!;^VzecmN_HZ3=vBiLC3zsRx0x(UvDUjghm<$fd-^o6mkZbqu!#6_{0^
zMNf!rH=kYKn3fR<F?WqGDIj44hlT&<;T`{9DF;ZP^eL&d2EXG(@AuY;+c%wS+A5*z
zrQu!K|JzS~bv8BMyRWw#pR1$_`F{Mh+q>i7!QN{AbbKBbr+fQ)&qVXl3jTXU>fj@n
z`b+U*HZ~XE*K0ixjam=KqS4voGlx!m^^i4T>D{}xw{O4H@`C)dRh7Tld9LGf=ef@Q
GmHz>meytq<
diff --git a/src/mobile.startup/PageGateway.js b/src/mobile.startup/PageGateway.js
index 091cb6b3b..dd2e0758d 100644
--- a/src/mobile.startup/PageGateway.js
+++ b/src/mobile.startup/PageGateway.js
@@ -52,9 +52,6 @@ function transformSections( sections ) {
// if the first section level is not equal to collapseLevel, this first
// section will not have a parent and will be appended to the result.
sections.forEach( function ( section ) {
- if ( section.line !== undefined ) {
- section.line = section.line.replace( /<\/?a\b[^>]*>/g, '' );
- }
section.subsections = [];
if (
--
2.20.1
File Metadata
Details
Attached
Mime Type
text/plain
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8532286
Default Alt Text
T262213.patch (8 KB)
Attached To
Mode
T262213: XSS on Pages viewed on Mobile (CVE-2020-26120)
Attached
Detach File
Event Timeline
Log In to Comment