Page MenuHomePhabricator

SportsTeams-XSS.patch

Authored By
ashley
Apr 26 2021, 10:09 PM
Size
12 KB
Referenced Files
None
Subscribers
None

SportsTeams-XSS.patch

diff --git a/includes/specials/SpecialSportsTeamsManager.php b/includes/specials/SpecialSportsTeamsManager.php
index ff16eb5..ebf6d66 100644
--- a/includes/specials/SpecialSportsTeamsManager.php
+++ b/includes/specials/SpecialSportsTeamsManager.php
@@ -42,7 +42,7 @@ class SportsTeamsManager extends SpecialPage {
}
// Set the page title
- $out->setPageTitle( $this->msg( 'sportsteams-team-manager-title' )->plain() );
+ $out->setPageTitle( $this->msg( 'sportsteams-team-manager-title' ) );
// Add CSS
$out->addModuleStyles( 'ext.sportsTeams.manager' );
@@ -55,7 +55,7 @@ class SportsTeamsManager extends SpecialPage {
if ( isset( $id ) && $id > 0 ) {
$out->addHTML(
'<span class="view-status">' .
- $this->msg( 'sportsteams-team-manager-sport-created' )->plain() .
+ $this->msg( 'sportsteams-team-manager-sport-created' )->escaped() .
'</span><br /><br />'
);
}
@@ -67,7 +67,7 @@ class SportsTeamsManager extends SpecialPage {
{
$st = new SportsTeams( $user );
$id = $st->editSport(
- $request->getVal( 'sport_id' ),
+ $request->getInt( 'sport_id' ),
$request->getVal( 'sport_name' )
);
return;
@@ -87,7 +87,7 @@ class SportsTeamsManager extends SpecialPage {
$id = $dbw->insertId();
$out->addHTML(
'<span class="view-status">' .
- $this->msg( 'sportsteams-team-manager-created' )->text() .
+ $this->msg( 'sportsteams-team-manager-created' )->escaped() .
'</span><br /><br />'
);
} else {
@@ -105,7 +105,7 @@ class SportsTeamsManager extends SpecialPage {
$out->addHTML(
'<span class="view-status">' .
- $this->msg( 'sportsteams-team-manager-saved' )->text() .
+ $this->msg( 'sportsteams-team-manager-saved' )->escaped() .
'</span><br /><br />'
);
}
@@ -122,24 +122,22 @@ class SportsTeamsManager extends SpecialPage {
$out->addHTML( $this->displaySportsList() );
} elseif (
$request->getVal( 'method' ) == 'editsport' &&
- $request->getVal( 'sport_id' )
+ $sport_id
)
{
$out->addHTML(
- $this->displayCreateSportForm(
- $request->getVal( 'sport_id' )
- )
+ $this->displayCreateSportForm( $sport_id )
);
return;
} else {
$out->addHTML(
'<div><b><a href="' .
htmlspecialchars( $this->getPageTitle()->getFullURL() ) . '">' .
- $this->msg( 'sportsteams-team-manager-view-sports' )->text() .
+ $this->msg( 'sportsteams-team-manager-view-sports' )->escaped() .
'</a></b> | <b><a href="' . htmlspecialchars( $this->getPageTitle()->getFullURL(
[ 'sport_id' => $sport_id, 'method' => 'edit' ]
) ) . '">' .
- $this->msg( 'sportsteams-team-manager-add-new-team' )->text() . '</a></b></div><p>'
+ $this->msg( 'sportsteams-team-manager-add-new-team' )->escaped() . '</a></b></div><p>'
);
$out->addHTML( $this->displayTeamList( $sport_id ) );
}
@@ -171,10 +169,10 @@ class SportsTeamsManager extends SpecialPage {
$form .= '
<tr>
<td width="200" class="view-form">' .
- $this->msg( 'sportsteams-team-manager-sport-name' )->plain() .
+ $this->msg( 'sportsteams-team-manager-sport-name' )->escaped() .
'</td>
<td width="695">
- <input type="text" size="45" class="createbox" name="sport_name" value="' . $sportNameValue .'" />
+ <input type="text" size="45" class="createbox" name="sport_name" value="' . htmlspecialchars( $sportNameValue, ENT_QUOTES ) .'" />
</td>
</tr>
';
@@ -186,12 +184,12 @@ class SportsTeamsManager extends SpecialPage {
$sport_image = SportsTeams::getLogo( $id, false, 'l' );
$form .= '<tr>
<td width="200" class="view-form" valign="top">' .
- $this->msg( 'sportsteams-network-alt-logo' )->plain() .
+ $this->msg( 'sportsteams-network-alt-logo' )->escaped() .
'</td>
<td width="695">' . $sport_image . '
<p>
<a href="' . htmlspecialchars( SpecialPage::getTitleFor( 'SportsManagerLogo' )->getFullURL( "id={$id}" ) ) . '">' .
- $this->msg( 'sportsteams-team-manager-add-replace-logo' )->text() .
+ $this->msg( 'sportsteams-team-manager-add-replace-logo' )->escaped() .
'</a>
</td>
</tr>';
@@ -200,10 +198,10 @@ class SportsTeamsManager extends SpecialPage {
// Different button text (and hidden method, which is used in execute())
// depending on if we're editing a sport or adding one
if ( $id ) {
- $msg = $this->msg( 'sportsteams-team-manager-edit' )->plain();
+ $msg = $this->msg( 'sportsteams-team-manager-edit' )->escaped();
$method = 'editsport';
} else {
- $msg = $this->msg( 'sportsteams-team-manager-add-sport-button' )->plain();
+ $msg = $this->msg( 'sportsteams-team-manager-add-sport-button' )->escaped();
$method = 'createsport';
}
@@ -211,7 +209,7 @@ class SportsTeamsManager extends SpecialPage {
<td colspan="2">
<input type="hidden" name="method" value="' . $method . '" />
<input type="button" class="site-button" value="' . $msg . '" size="20" onclick="document.sportsteamsmanager.submit()" />
- <input type="button" class="site-button" value="' . $this->msg( 'cancel' )->plain() . '" size="20" onclick="history.go(-1)" />
+ <input type="button" class="site-button" value="' . $this->msg( 'cancel' )->escaped() . '" size="20" onclick="history.go(-1)" />
</td>
</tr>
</table>
@@ -228,10 +226,10 @@ class SportsTeamsManager extends SpecialPage {
$linkRenderer = $this->getLinkRenderer();
$pt = $this->getPageTitle();
foreach ( $sports as $sport ) {
- $editLink = $this->msg( 'word-separator' )->plain() .
+ $editLink = $this->msg( 'word-separator' )->escaped() .
$linkRenderer->makeLink(
$pt,
- $this->msg( 'sportsteams-team-manager-edit-this-sport' )->plain(),
+ $this->msg( 'sportsteams-team-manager-edit-this-sport' )->text(),
[ 'class' => 'red-edit-link' ],
[
'method' => 'editsport',
@@ -293,7 +291,7 @@ class SportsTeamsManager extends SpecialPage {
$request = $this->getRequest();
$form = '<div><b><a href="' . htmlspecialchars( $this->getPageTitle()->getFullURL( 'sport_id=' . $request->getInt( 'sport_id' ) ) ) . '">' .
- $this->msg( 'sportsteams-team-manager-view-teams' )->text() . '</a></b></div><p>';
+ $this->msg( 'sportsteams-team-manager-view-teams' )->escaped() . '</a></b></div><p>';
if ( $id ) {
$team = SportsTeams::getTeam( $id );
@@ -308,7 +306,7 @@ class SportsTeamsManager extends SpecialPage {
$form .= '
<tr>
- <td width="200" class="view-form">' . $this->msg( 'sportsteams-team-manager-sport' )->text() . '</td>
+ <td width="200" class="view-form">' . $this->msg( 'sportsteams-team-manager-sport' )->escaped() . '</td>
<td width="695">
<select name="s_id">';
$sports = SportsTeams::getSports();
@@ -321,17 +319,19 @@ class SportsTeamsManager extends SpecialPage {
{
$selected = ' selected';
}
- $form .= "<option{$selected} value=\"{$sport['id']}\">{$sport['name']}</option>";
+ $form .= "<option{$selected} value=\"{$sport['id']}\">";
+ $form .= htmlspecialchars( $sport['name'], ENT_QUOTES );
+ $form .= '</option>';
}
$form .= '</select>
</tr>
<tr>
<td width="200" class="view-form">' .
- $this->msg( 'sportsteams-team-manager-teamname' )->text() .
+ $this->msg( 'sportsteams-team-manager-teamname' )->escaped() .
'</td>
<td width="695">
- <input type="text" size="45" class="createbox" name="team_name" value="' . $team['name'] . '" />
+ <input type="text" size="45" class="createbox" name="team_name" value="' . htmlspecialchars( $team['name'], ENT_QUOTES ) . '" />
</td>
</tr>
';
@@ -342,28 +342,28 @@ class SportsTeamsManager extends SpecialPage {
'" border="0" alt="logo" />';
$form .= '<tr>
<td width="200" class="view-form" valign="top">' .
- $this->msg( 'sportsteams-team-manager-team' )->text() .
+ $this->msg( 'sportsteams-team-manager-team' )->escaped() .
'</td>
<td width="695">' . $team_image . '
<p>
<a href="' . htmlspecialchars( SpecialPage::getTitleFor( 'SportsTeamsManagerLogo' )->getFullURL( "id={$id}" ) ) . '">' .
- $this->msg( 'sportsteams-team-manager-add-replace-logo' )->text() .
+ $this->msg( 'sportsteams-team-manager-add-replace-logo' )->escaped() .
'</a>
</td>
</tr>';
}
if ( $id ) {
- $msg = $this->msg( 'sportsteams-team-manager-edit' )->plain();
+ $msg = $this->msg( 'sportsteams-team-manager-edit' )->escaped();
} else {
- $msg = $this->msg( 'sportsteams-team-manager-add-team' )->plain();
+ $msg = $this->msg( 'sportsteams-team-manager-add-team' )->escaped();
}
$form .= '<tr>
<td colspan="2">
<input type="hidden" name="id" value="' . $id . '" />
<input type="button" class="site-button" value="' . $msg . '" size="20" onclick="document.sportsteamsmanager.submit()" />
- <input type="button" class="site-button" value="' . $this->msg( 'cancel' )->plain() . '" size="20" onclick="history.go(-1)" />
+ <input type="button" class="site-button" value="' . $this->msg( 'cancel' )->escaped() . '" size="20" onclick="history.go(-1)" />
</td>
</tr>
</table>
diff --git a/includes/specials/SpecialUpdateFavoriteTeams.php b/includes/specials/SpecialUpdateFavoriteTeams.php
index 0310066..6858b4a 100644
--- a/includes/specials/SpecialUpdateFavoriteTeams.php
+++ b/includes/specials/SpecialUpdateFavoriteTeams.php
@@ -78,8 +78,9 @@ class UpdateFavoriteTeams extends UnlistedSpecialPage {
$sports = SportsTeams::getSports();
foreach ( $sports as $sport ) {
$output .= "<option value=\"{$sport['id']}\"" .
- ( ( $sport['id'] == $selected_sport_id ) ? ' selected' : '' ) .
- ">{$sport['name']}</option>\n";
+ ( ( $sport['id'] == $selected_sport_id ) ? ' selected' : '' ) . '>';
+ $output .= htmlspecialchars( $sport['name'], ENT_QUOTES );
+ $output .= "</option>\n";
}
$output .= '</select>';
$output .= '</p>
@@ -95,9 +96,10 @@ class UpdateFavoriteTeams extends UnlistedSpecialPage {
}
foreach ( $teams as $team ) {
- $team_opts.= "<option value=\"{$team['id']}\"" .
- ( ( $team['id'] == $selected_team_id ) ? ' selected' : '' ) .
- ">{$team['name']}</option>";
+ $team_opts .= "<option value=\"{$team['id']}\"" .
+ ( ( $team['id'] == $selected_team_id ) ? ' selected' : '' ) . '>';
+ $team_opts .= htmlspecialchars( $team['name'], ENT_QUOTES );
+ $team_opts .= '</option>';
}
$output .= '<p class="profile-update-unit-left">' .
@@ -131,7 +133,7 @@ class UpdateFavoriteTeams extends UnlistedSpecialPage {
// This is like core Special:Preferences, so you need to be logged in
// to use this special page
if ( !$user->isLoggedIn() ) {
- $out->setPageTitle( $this->msg( 'user-profile-sports-notloggedintitle' )->text() );
+ $out->setPageTitle( $this->msg( 'user-profile-sports-notloggedintitle' ) );
$out->addHTML( $this->msg( 'user-profile-sports-notloggedintext' )->escaped() );
return;
}
@@ -142,13 +144,13 @@ class UpdateFavoriteTeams extends UnlistedSpecialPage {
$sports = SportsTeams::getSports();
// Error message when there are no sports in the database
if ( empty( $sports ) ) {
- $out->setPageTitle( $this->msg( 'sportsteams-error-no-sports-title' )->plain() );
+ $out->setPageTitle( $this->msg( 'sportsteams-error-no-sports-title' ) );
$out->addWikiMsg( 'sportsteams-error-no-sports-message' );
return;
}
// Set the page title
- $out->setPageTitle( $this->msg( 'user-profile-sports-title' )->plain() );
+ $out->setPageTitle( $this->msg( 'user-profile-sports-title' ) );
// Add CSS (from SocialProfile), DoubleCombo.js and UpdateFavoriteTeams.js files to the page output
$out->addModuleStyles( [
@@ -164,7 +166,7 @@ class UpdateFavoriteTeams extends UnlistedSpecialPage {
// @todo FIXME/CHECKME: This requires site admins to manually edit [[MediaWiki:Update_profile_nav]]
// to add something like * Special:UpdateFavoriteTeams|user-profile-section-sportsteams there
// and that's not exactly ideal
- $output = UserProfile::getEditProfileNav( $this->msg( 'user-profile-section-sportsteams' )->text() );
+ $output = UserProfile::getEditProfileNav( $this->msg( 'user-profile-section-sportsteams' )->escaped() );
$output .= '<div class="profile-info">';
@@ -174,8 +176,8 @@ class UpdateFavoriteTeams extends UnlistedSpecialPage {
if ( $request->getVal( 'action' ) == 'delete' ) {
$s->removeFavorite(
- $request->getVal( 's_id' ),
- $request->getVal( 't_id' )
+ $request->getInt( 's_id' ),
+ $request->getInt( 't_id' )
);
SportsTeams::clearUserCache( $user );
$out->addHTML(

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9056992
Default Alt Text
SportsTeams-XSS.patch (12 KB)

Event Timeline