Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34910886
T298481-gomwiki.patch
MrStradivarius (Mr. Stradivarius)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
MrStradivarius
Jan 7 2022, 10:41 PM
2022-01-07 22:41:05 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T298481-gomwiki.patch
View Options
From 5a8be1a8f9886a7cc7211b1abb2d374668b5a867 Mon Sep 17 00:00:00 2001
From: "Mr. Stradivarius" <misterstrad@gmail.com>
Date: Sat, 8 Jan 2022 07:36:42 +0900
Subject: [PATCH] Fix XSS vulnerability in config URL
Escape the configFullPath variable so that a second title parameter
cannot be injected into the config URL before it is passed to
jQuery.getScript.
---
MediaWiki:Gadget-formWizard-core.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MediaWiki:Gadget-formWizard-core.js b/MediaWiki:Gadget-formWizard-core.js
index 478e858..6164fb4 100644
--- a/MediaWiki:Gadget-formWizard-core.js
+++ b/MediaWiki:Gadget-formWizard-core.js
@@ -972,7 +972,7 @@ $(function() {
$('#formsDialogExpand .loading').show();
var configFullPath = utility.configPath+'/'+formsGadgetNamespace+'/'+formsGadgetType;
- var configUrl = '//en.wikipedia.org/w/index.php?title='+configFullPath+'&action=raw&ctype=text/javascript';
+ var configUrl = '//en.wikipedia.org/w/index.php?title='+encodeURIComponent(configFullPath)+'&action=raw&ctype=text/javascript';
//Get the config for the language above
$.when(jQuery.getScript(configUrl)).then(function(){
var config = utility.stripWhiteSpace(formsGadgetConfig[formsGadgetMode]);
--
2.25.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9320571
Default Alt Text
T298481-gomwiki.patch (1 KB)
Attached To
Mode
T298481: XSS vulnerability in the FormWizard default gadget on enwiki
Attached
Detach File
Event Timeline
Log In to Comment