Page MenuHomePhabricator
Files F34910886

T298481-gomwiki.patch
MrStradivarius (Mr. Stradivarius)
Actions

Authored By
MrStradivarius
Jan 7 2022, 10:41 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T298481-gomwiki.patch
View Options

From 5a8be1a8f9886a7cc7211b1abb2d374668b5a867 Mon Sep 17 00:00:00 2001
From: "Mr. Stradivarius" <misterstrad@gmail.com>
Date: Sat, 8 Jan 2022 07:36:42 +0900
Subject: [PATCH] Fix XSS vulnerability in config URL
Escape the configFullPath variable so that a second title parameter
cannot be injected into the config URL before it is passed to
jQuery.getScript.
---
MediaWiki:Gadget-formWizard-core.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MediaWiki:Gadget-formWizard-core.js b/MediaWiki:Gadget-formWizard-core.js
index 478e858..6164fb4 100644
--- a/MediaWiki:Gadget-formWizard-core.js
+++ b/MediaWiki:Gadget-formWizard-core.js
@@ -972,7 +972,7 @@ $(function() {
$('#formsDialogExpand .loading').show();
var configFullPath = utility.configPath+'/'+formsGadgetNamespace+'/'+formsGadgetType;
- var configUrl = '//en.wikipedia.org/w/index.php?title='+configFullPath+'&action=raw&ctype=text/javascript';
+ var configUrl = '//en.wikipedia.org/w/index.php?title='+encodeURIComponent(configFullPath)+'&action=raw&ctype=text/javascript';
//Get the config for the language above
$.when(jQuery.getScript(configUrl)).then(function(){
var config = utility.stripWhiteSpace(formsGadgetConfig[formsGadgetMode]);
--
2.25.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9320571
Default Alt Text
T298481-gomwiki.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL