T331192.patch
Dreamy_Jazz (WBrown (WMF))
Actions

Authored By

	Dreamy_Jazz
	Mar 15 2023, 7:42 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T331192.patch
View Options

	From 190f8e079c453fb94689753ae7dfbe96271771cf Mon Sep 17 00:00:00 2001
	From: Dreamy Jazz <dreamyjazzwikipedia@gmail.com>
	Date: Wed, 15 Mar 2023 19:25:20 +0000
	Subject: [PATCH] Escape HTML in the user text for the checkbox in get users

	Escape any HTML in the user text provided to the mustache template.
	This is needed because any double quote characters (i.e. '"') will
	cause the "value" attribute for the checkbox to be ended early. By
	doing this it makes blocking the account using the block form that
	is shown under the results impossible, but also could allow HTML
	injection into the input tag. Injection of other elements should
	not be possible unless $wgInvalidUsernameCharacters was modified
	to remove the ">" character.

	Bug: T331192
	Change-Id: If38d0ffbfed795c2f2206a09aa65fb16d6a9d030
	---
	templates/GetUsersLine.mustache \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/templates/GetUsersLine.mustache b/templates/GetUsersLine.mustache
	index d7f32af6..ed255067 100644
	--- a/templates/GetUsersLine.mustache
	+++ b/templates/GetUsersLine.mustache
	@@ -1,6 +1,6 @@
	<li>
	{{#canPerformBlocks}}
	- <input type="checkbox" name="users[]" value="{{{userText}}}"/>
	+ <input type="checkbox" name="users[]" value="{{userText}}"/>
	{{/canPerformBlocks}}
	<span class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
	{{{userLink}}}
	--
	2.25.1