Page MenuHomePhabricator
Files F34598374

T289063.patch
Urbanecm_WMF (Martin Urbanec / Urbanecm)
Actions

Authored By
Urbanecm_WMF
Aug 17 2021, 3:11 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T289063.patch
View Options

From 9f0822192576c417b49f46ebffbe0cbc1a3f2169 Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Tue, 17 Aug 2021 17:04:47 +0200
Subject: [PATCH] SECURITY: Fix XSS vulnerability in mentor dashboard
Html::rawElement cannot be used together with the "text"
mode of messages API; that results in unsafe HTML.
Bug: T289063
Change-Id: I2bd8e98e3b31dce0d2b49707e6e38bd342949314
---
includes/MentorDashboard/Modules/MenteeOverview.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/includes/MentorDashboard/Modules/MenteeOverview.php b/includes/MentorDashboard/Modules/MenteeOverview.php
index 0f8e14aa..60f15b5f 100644
--- a/includes/MentorDashboard/Modules/MenteeOverview.php
+++ b/includes/MentorDashboard/Modules/MenteeOverview.php
@@ -30,7 +30,7 @@ class MenteeOverview extends BaseModule {
* @inheritDoc
*/
protected function getBody() {
- return Html::rawElement(
+ return Html::element(
'div',
[
'class' => 'growthexperiments-mentor-dashboard-module-mentee-overview-content'
--
2.20.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9154674
Default Alt Text
T289063.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL