Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34617703
T289408-.19.patch
Urbanecm_WMF (Martin Urbanec / Urbanecm)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
Urbanecm_WMF
Aug 23 2021, 9:59 AM
2021-08-23 09:59:57 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T289408-.19.patch
View Options
From 032ce85074c4f48f7a2238b187774b551e765d62 Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sat, 21 Aug 2021 21:34:16 +0200
Subject: [PATCH] SECURITY: Fix a bunch of XSS holes in Mentor dashboard
Pattern: $('<el>').append(<unescaped string>)
Solution: use .text() instead of .append(), which
makes jQuery to escape the string. Alternative solution
would be to use mw.message(...).escaped() or
mw.message(...).parse() instead.
Bug: T289408
Change-Id: I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6
---
...riments.MentorDashboard.MenteeOverview.FilterDropdown.js | 4 ++--
.../ext.growthExperiments.MentorDashboard.MenteeOverview.js | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
index ace41f15..6265c30c 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
@@ -32,7 +32,7 @@
this.$filterDropdown = $( '<div>' )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-filter-dropdown' )
.append(
- $( '<h3>' ).append(
+ $( '<h3>' ).text(
mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline' )
),
$( '<div>' )
@@ -48,7 +48,7 @@
} ).$element
),
$( '<hr>' ),
- $( '<h3>' ).append(
+ $( '<h3>' ).text(
mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline' )
),
new OO.ui.FieldLayout( this.filterDropdownOnlyStarred, {
diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
index 130b29ab..fe07c7eb 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
@@ -116,7 +116,7 @@
return $( '<td>' )
.attr( 'data-field', fieldName )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-value' )
- .append( value );
+ .text( value );
};
MenteeOverview.prototype.sortTable = function ( field, dir ) {
@@ -218,11 +218,11 @@
'href',
( new mw.Title( userData.username, 2 ) ).getUrl()
)
- .append( userData.username )
+ .text( userData.username )
),
$( '<span>' )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-activity' )
- .append( mw.msg(
+ .text( mw.msg(
'growthexperiments-mentor-dashboard-mentee-overview-active-ago',
userData.last_active.human
) )
--
2.20.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9164750
Default Alt Text
T289408-.19.patch (2 KB)
Attached To
Mode
T289408: Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) (CVE-2021-42044)
Attached
Detach File
Event Timeline
Log In to Comment