Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34435897
T281595.patch
Mainframe98 (Klaas Skelte van der Werf)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Mainframe98
Apr 30 2021, 6:38 PM
2021-04-30 18:38:05 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T281595.patch
View Options
From 2f251a772ae732353032bbd640da3dfae924b238 Mon Sep 17 00:00:00 2001
From: mainframe98 <k.s.werf@hotmail.com>
Date: Fri, 30 Apr 2021 20:26:15 +0200
Subject: [PATCH] SECURITY: Fix XSS vulnerability in EditPage and
ProtectionForm
The documentation of OutputPage::wrapWikiMsg says it is
equivalent to OutputPage::addWikitextAsInterface called
with wfMessage()->plain(). This is correct, as it parses
it in addWikitextAsInterface. If used with addHtml, no
parsing/escaping is done automatically.
Follow-up to I83f2828bcde160c98a1d97e783a869e64fb4c6ea.
Bug: T281595
Change-Id: Ia6c7a7447e5cea903be9f5d9e76320ea56fedd4c
---
includes/EditPage.php | 2 +-
includes/ProtectionForm.php | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/includes/EditPage.php b/includes/EditPage.php
index f74f3ba61e..e1a7f18e79 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2966,7 +2966,7 @@ class EditPage implements IEditObject {
if ( $this->wasDeletedSinceLastEdit() && $this->formtype !== 'save' ) {
$out->addHTML( Html::errorBox(
- $out->msg( 'deletedwhileediting' )->plain(),
+ $out->msg( 'deletedwhileediting' )->parse(),
'',
'mw-deleted-while-editing'
) );
diff --git a/includes/ProtectionForm.php b/includes/ProtectionForm.php
index a0d09b41e3..af9edaf7f5 100644
--- a/includes/ProtectionForm.php
+++ b/includes/ProtectionForm.php
@@ -256,7 +256,7 @@ class ProtectionForm {
$out->addBacklinkSubtitle( $this->mTitle );
if ( is_array( $err ) ) {
- $out->addHTML( Html::errorBox( $out->msg( ...$err )->plain() ) );
+ $out->addHTML( Html::errorBox( $out->msg( ...$err )->parse() ) );
} elseif ( is_string( $err ) ) {
$out->addHTML( Html::errorBox( $err ) );
}
--
2.31.1.windows.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9061155
Default Alt Text
T281595.patch (1 KB)
Attached To
Mode
T281595: XSSs from not escaping i18n messages in recent core patch
Attached
Detach File
Event Timeline
Log In to Comment