Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F32358409
06-T115888.patch
Reedy (Sam Reed)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Reedy
Sep 21 2020, 10:49 PM
2020-09-21 22:49:08 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
06-T115888.patch
View Options
From e7849fc7f927a65177898710ac6ba1902636f902 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Wed, 21 Oct 2015 14:24:17 +0200
Subject: [PATCH] SECURITY: mediawiki.js: Escape HTML in mw.message( ...
).parse()
This basically makes it equivalent to .escaped() and not .text().
Does not affect the mediawiki.jqueryMsg version, which still accepts
whitelisted HTML tags.
Bug: T115888
Change-Id: I6513dfb480024309e1594abc6f07bbd3b0c5a10e
---
resources/src/mediawiki.base/mediawiki.base.js | 7 ++++++-
.../mediawiki/mediawiki.jqueryMsg.test.js | 18 ++++++++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/resources/src/mediawiki.base/mediawiki.base.js b/resources/src/mediawiki.base/mediawiki.base.js
index 2a1edf558c..331ccff5ab 100644
--- a/resources/src/mediawiki.base/mediawiki.base.js
+++ b/resources/src/mediawiki.base/mediawiki.base.js
@@ -117,7 +117,12 @@
) {
text = '(' + this.key + '$*)';
}
- return mw.format.apply( null, [ text ].concat( this.parameters ) );
+ text = mw.format.apply( null, [ text ].concat( this.parameters ) );
+ if ( this.format === 'parse' ) {
+ // We don't know how to parse anything, so escape it all
+ text = mw.html.escape( text );
+ }
+ return text;
},
/**
diff --git a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
index e6b933d35b..eeebaae4e5 100644
--- a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
+++ b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
@@ -758,6 +758,24 @@
mw.jqueryMsg.getMessageFunction = oldGMF;
} );
+ // Tests that HTML in message parameters is escaped,
+ // whether the message looks like wikitext or not.
+ QUnit.test( 'mw.Message.prototype.parser monkey-patch HTML-escape', function ( assert ) {
+ mw.messages.set( '1x-wikitext', '<span>$1</span>' );
+ assert.htmlEqual(
+ mw.message( '1x-wikitext', '<script>alert( "1x-wikitext test" )</script>' ).parse(),
+ '<span><script>alert( "1x-wikitext test" )</script></span>',
+ 'Message parameters are escaped if message contains wikitext'
+ );
+
+ mw.messages.set( '1x-plain', '$1' );
+ assert.htmlEqual(
+ mw.message( '1x-plain', '<script>alert( "1x-plain test" )</script>' ).parse(),
+ '<script>alert( "1x-plain test" )</script>',
+ 'Message parameters are still escaped if message contains no wikitext'
+ );
+ } );
+
formatnumTests = [
{
lang: 'en',
--
2.25.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8487898
Default Alt Text
06-T115888.patch (2 KB)
Attached To
Mode
T256335: Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0
Attached
Detach File
Event Timeline
Log In to Comment