Page MenuHomePhabricator
Authored By
Urbanecm_WMF
Aug 21 2021, 8:02 PM
Size
4 KB
Referenced Files
None
Subscribers
None

T289408.patch

From 31ded9e6306823fa90151bffb00226aae84ff5df Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sat, 21 Aug 2021 21:34:16 +0200
Subject: [PATCH] SECURITY: Fix a bunch of XSS holes in Mentor dashboard
Pattern: $('<el>').append(<unescaped string>)
Solution: use .text() instead of .append(), which
makes jQuery to escape the string. Alternative solution
would be to use mw.message(...).escaped() or
mw.message(...).parse() instead.
Change-Id: I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6
---
...entorDashboard.MenteeOverview.FilterDropdown.js | 4 ++--
...thExperiments.MentorDashboard.MenteeOverview.js | 14 +++++++-------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
index ace41f15..6265c30c 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
@@ -32,7 +32,7 @@
this.$filterDropdown = $( '<div>' )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-filter-dropdown' )
.append(
- $( '<h3>' ).append(
+ $( '<h3>' ).text(
mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline' )
),
$( '<div>' )
@@ -48,7 +48,7 @@
} ).$element
),
$( '<hr>' ),
- $( '<h3>' ).append(
+ $( '<h3>' ).text(
mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline' )
),
new OO.ui.FieldLayout( this.filterDropdownOnlyStarred, {
diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
index bf5af638..e4b98f2e 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
@@ -53,10 +53,10 @@
width: null,
// HACK: setting label should not be necessary in theory, but the label doesn't appear without it
label: mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ),
- $label: $( '<h3>' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ) ),
+ $label: $( '<h3>' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ) ),
$content: $( '<div>' ).addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-info-content' ).append(
- $( '<p>' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-text' ) ),
- $( '<h3>' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline' ) ),
+ $( '<p>' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-text' ) ),
+ $( '<h3>' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline' ) ),
$( '<div>' ).addClass( 'growthexperiments-mentor-dashboard-overview-info-legend-content' ).append(
this.makeLegendIcon(
'unStar',
@@ -162,7 +162,7 @@
.addClass( 'growthexperiments-mentor-dashboard-overview-info-legend-content-icon' )
.append(
new OO.ui.IconWidget( { icon: iconName } ).$element,
- $( '<p>' ).append( description )
+ $( '<p>' ).text( description )
);
};
@@ -174,7 +174,7 @@
return $( '<td>' )
.attr( 'data-field', fieldName )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-value' )
- .append( value );
+ .text( value );
};
MenteeOverview.prototype.sortTable = function ( field, dir ) {
@@ -276,11 +276,11 @@
'href',
( new mw.Title( userData.username, 2 ) ).getUrl()
)
- .append( userData.username )
+ .text( userData.username )
),
$( '<span>' )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-activity' )
- .append( mw.msg(
+ .text( mw.msg(
'growthexperiments-mentor-dashboard-mentee-overview-active-ago',
userData.last_active.human
) )
--
2.20.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9163674
Default Alt Text
T289408.patch (4 KB)

Event Timeline