Page MenuHomePhabricator
Authored By
Urbanecm_WMF
Aug 23 2021, 10:37 AM
Size
4 KB
Referenced Files
None
Subscribers
None

T289408.patch

From db9971c1ed6321372beed0e2de67f8d06933c6ef Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sat, 21 Aug 2021 21:34:16 +0200
Subject: [PATCH] SECURITY: Fix a bunch of XSS holes in Mentor dashboard
Pattern: $('<el>').append(<unescaped string>)
Solution: use .text() instead of .append(), which
makes jQuery to escape the string. Alternative solution
would be to use mw.message(...).escaped() or
mw.message(...).parse() instead.
Bug: T289408
Change-Id: I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6
---
...entorDashboard.MenteeOverview.FilterDropdown.js | 2 +-
...thExperiments.MentorDashboard.MenteeOverview.js | 14 +++++++-------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
index ac450f60..291e5a28 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js
@@ -49,7 +49,7 @@
this.$filterDropdown = $( '<div>' )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-filter-dropdown' )
.append(
- $( '<h3>' ).append(
+ $( '<h3>' ).text(
mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline' )
),
$( '<div>' )
diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
index bf5af638..e4b98f2e 100644
--- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
+++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js
@@ -53,10 +53,10 @@
width: null,
// HACK: setting label should not be necessary in theory, but the label doesn't appear without it
label: mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ),
- $label: $( '<h3>' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ) ),
+ $label: $( '<h3>' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ) ),
$content: $( '<div>' ).addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-info-content' ).append(
- $( '<p>' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-text' ) ),
- $( '<h3>' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline' ) ),
+ $( '<p>' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-text' ) ),
+ $( '<h3>' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline' ) ),
$( '<div>' ).addClass( 'growthexperiments-mentor-dashboard-overview-info-legend-content' ).append(
this.makeLegendIcon(
'unStar',
@@ -162,7 +162,7 @@
.addClass( 'growthexperiments-mentor-dashboard-overview-info-legend-content-icon' )
.append(
new OO.ui.IconWidget( { icon: iconName } ).$element,
- $( '<p>' ).append( description )
+ $( '<p>' ).text( description )
);
};
@@ -174,7 +174,7 @@
return $( '<td>' )
.attr( 'data-field', fieldName )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-value' )
- .append( value );
+ .text( value );
};
MenteeOverview.prototype.sortTable = function ( field, dir ) {
@@ -276,11 +276,11 @@
'href',
( new mw.Title( userData.username, 2 ) ).getUrl()
)
- .append( userData.username )
+ .text( userData.username )
),
$( '<span>' )
.addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-activity' )
- .append( mw.msg(
+ .text( mw.msg(
'growthexperiments-mentor-dashboard-mentee-overview-active-ago',
userData.last_active.human
) )
--
2.20.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9164766
Default Alt Text
T289408.patch (4 KB)

Event Timeline