Page MenuHomePhabricator
Files F37104972

0001-SECURITY-Escape-quotes-in-js-templates.patch
Michael (Michael Große)
Actions

Authored By
Michael
Jun 15 2023, 3:25 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Escape-quotes-in-js-templates.patch
View Options

From 98ca7cedad7105c030bd901664ecab4d391abc16 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Michael=20Gro=C3=9Fe?= <michael.grosse@wikimedia.de>
Date: Thu, 15 Jun 2023 17:01:39 +0200
Subject: [PATCH] SECURITY: Escape quotes in js templates
Previously, the code in wbTemplate would not escape quotes in
parameters, which resulted in an XSS-vulnerability when those parameters
when then used in attributes of HTML tags, for example the `title=""`
attribute.
This basically undoes the production code changes made in I641725a254f
for T44956. However, it does not change the tests added in that change,
so I wonder if "HTML-encoded non-breaking-space causes invalid HTML" was
really the root issue that was going on. In any case, on my machine, the
Item page in French seems to work perfectly fine, including editing.
Bug: T339111
Change-Id: Ib2a85fc6f1d1339fb857ee749d3a49ac19aece36
---
view/resources/wikibase/templates.js | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/view/resources/wikibase/templates.js b/view/resources/wikibase/templates.js
index fb342c8529..5a393de2b5 100644
--- a/view/resources/wikibase/templates.js
+++ b/view/resources/wikibase/templates.js
@@ -88,9 +88,18 @@
var strippedTemplate = stripAutoGeneratedHtml( template ),
strippedParsedTemplate = stripAutoGeneratedHtml( parsedTemplate );
+ // Unescape remaining quotes in our template since all attributes are gone
+ // and jQuery does not escape quotes in text nodes
+ var strippedTemplateWithUnescapedQuotes = strippedTemplate.replace(
+ /&quot;|&#039;/g,
+ function ( escapedQuote ) {
+ return escapedQuote === '&quot;' ? '"' : "'";
+ }
+ );
+
// Nodes or text got lost while being parsed which indicates that the generated HTML would
// be invalid:
- return strippedTemplate === strippedParsedTemplate;
+ return strippedTemplateWithUnescapedQuotes === strippedParsedTemplate;
}
/**
@@ -151,10 +160,8 @@
// objects will be appended after the template has been parsed to not lose any references:
for ( i = 0; i < params.length; i++ ) {
if ( typeof params[ i ] === 'string' || params[ i ] instanceof String ) {
- // insert strings into the template directly but have them parsed by the browser
- // to detect HTML entities properly (e.g. a &nbsp; in Firefox would show up as a
- // space instead of an entity which would cause an invalid HTML error)
- tempParams.push( $( '<div>' ).html( mw.html.escape( params[ i ] ) ).html() );
+ // insert strings into the template directly
+ tempParams.push( mw.html.escape( params[ i ] ) );
} else if ( params[ i ] instanceof $ ) {
// construct temporary placeholder nodes
// (using an actual invalid class name to not interfere with any other node)
--
2.39.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10898542
Default Alt Text
0001-SECURITY-Escape-quotes-in-js-templates.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits