Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F32361067
06-T115888-REL1_31.patch
Reedy (Sam Reed)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
Reedy
Sep 23 2020, 5:01 PM
2020-09-23 17:01:07 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
06-T115888-REL1_31.patch
View Options
From 33f9e6e91a5cdc67b75eec0269f71c78ea53e567 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Wed, 21 Oct 2015 14:24:17 +0200
Subject: [PATCH] SECURITY: mediawiki.js: Escape HTML in mw.message( ...
).parse()
This basically makes it equivalent to .escaped() and not .text().
Does not affect the mediawiki.jqueryMsg version, which still accepts
whitelisted HTML tags.
Bug: T115888
Change-Id: I6513dfb480024309e1594abc6f07bbd3b0c5a10e
---
resources/src/mediawiki/mediawiki.js | 8 +++++++-
.../mediawiki/mediawiki.jqueryMsg.test.js | 18 ++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/resources/src/mediawiki/mediawiki.js b/resources/src/mediawiki/mediawiki.js
index 3fe276bbef..50a06775a6 100644
--- a/resources/src/mediawiki/mediawiki.js
+++ b/resources/src/mediawiki/mediawiki.js
@@ -297,7 +297,13 @@
* @return {string} Parsed message
*/
parser: function () {
- return mw.format.apply( null, [ this.map.get( this.key ) ].concat( this.parameters ) );
+ var text;
+ text = mw.format.apply( null, [ this.map.get( this.key ) ].concat( this.parameters ) );
+ if ( this.format === 'parse' ) {
+ // We don't know how to parse anything, so escape it all
+ text = mw.html.escape( text );
+ }
+ return text;
},
// eslint-disable-next-line valid-jsdoc
diff --git a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
index 0653dfd3d0..fb2dcf49c6 100644
--- a/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
+++ b/tests/qunit/suites/resources/mediawiki/mediawiki.jqueryMsg.test.js
@@ -794,6 +794,24 @@
mw.jqueryMsg.getMessageFunction = oldGMF;
} );
+ // Tests that HTML in message parameters is escaped,
+ // whether the message looks like wikitext or not.
+ QUnit.test( 'mw.Message.prototype.parser monkey-patch HTML-escape', function ( assert ) {
+ mw.messages.set( '1x-wikitext', '<span>$1</span>' );
+ assert.htmlEqual(
+ mw.message( '1x-wikitext', '<script>alert( "1x-wikitext test" )</script>' ).parse(),
+ '<span><script>alert( "1x-wikitext test" )</script></span>',
+ 'Message parameters are escaped if message contains wikitext'
+ );
+
+ mw.messages.set( '1x-plain', '$1' );
+ assert.htmlEqual(
+ mw.message( '1x-plain', '<script>alert( "1x-plain test" )</script>' ).parse(),
+ '<script>alert( "1x-plain test" )</script>',
+ 'Message parameters are still escaped if message contains no wikitext'
+ );
+ } );
+
formatnumTests = [
{
lang: 'en',
--
2.25.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8574889
Default Alt Text
06-T115888-REL1_31.patch (2 KB)
Attached To
Mode
T256335: Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0
Attached
Detach File
Event Timeline
Log In to Comment