0001-SECURITY-Escape-label-in-FederatedPropertiesError.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

Authored By

	Lucas_Werkmeister_WMDE
	Jun 20 2023, 3:46 PM

Size

2 KB

Referenced Files

None

Subscribers

None

0001-SECURITY-Escape-label-in-FederatedPropertiesError.patch
View Options

	From 494d8e94f95a13a23e36c916edd2a0088b4dbdda Mon Sep 17 00:00:00 2001
	From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
	Date: Fri, 16 Jun 2023 12:58:21 +0200
	Subject: [PATCH 1/2] SECURITY: Escape label in FederatedPropertiesError
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	The label is later stripped of bad markup in OutputPage::setPageTitle()
	(which calls Sanitizer::removeSomeTags()), but we don’t want “safe”
	markup in there to be processed either: it should all be escaped.

	Bug: T339260
	Change-Id: I76b953be86d6465ee7355c0a189c68cf20457786
	---
	.../includes/FederatedProperties/FederatedPropertiesError.php \| 2 +-
	.../FederatedProperties/FederatedPropertiesErrorTest.php \| 4 ++--
	2 files changed, 3 insertions(+), 3 deletions(-)

	diff --git a/repo/includes/FederatedProperties/FederatedPropertiesError.php b/repo/includes/FederatedProperties/FederatedPropertiesError.php
	index c83ebb4369..6589e896b6 100644
	--- a/repo/includes/FederatedProperties/FederatedPropertiesError.php
	+++ b/repo/includes/FederatedProperties/FederatedPropertiesError.php
	@@ -44,7 +44,7 @@ public function __construct( $languageCode, $entity, $msg, $params = [] ) {

	$html = $templateFactory->render( 'wikibase-title',
	!$hasLabel ? 'wb-empty' : '',
	- !$hasLabel ? wfMessage( 'wikibase-label-empty' )->parse() : $labelText,
	+ !$hasLabel ? wfMessage( 'wikibase-label-empty' )->parse() : htmlspecialchars( $labelText, ENT_QUOTES ),
	$idInParenthesesHtml
	);

	diff --git a/repo/tests/phpunit/includes/FederatedProperties/FederatedPropertiesErrorTest.php b/repo/tests/phpunit/includes/FederatedProperties/FederatedPropertiesErrorTest.php
	index 0c922283c6..429ea30874 100644
	--- a/repo/tests/phpunit/includes/FederatedProperties/FederatedPropertiesErrorTest.php
	+++ b/repo/tests/phpunit/includes/FederatedProperties/FederatedPropertiesErrorTest.php
	@@ -22,7 +22,7 @@ class FederatedPropertiesErrorTest extends MediaWikiIntegrationTestCase {
	public function testOutputShouldGenerateErrorPage() {
	$languageCode = 'en';
	$item = new Item( new ItemId( 'Q1' ) );
	- $item->setLabel( $languageCode, 'A label' );
	+ $item->setLabel( $languageCode, 'A <b>label</b>' );
	$params = [];

	$e = new FederatedPropertiesError( $languageCode, $item, 'key', $params );
	@@ -37,7 +37,7 @@ public function testOutputShouldGenerateErrorPage() {
	);

	$this->assertStringContainsString(
	- '<span class="wikibase-title-label">A label</span>',
	+ '<span class="wikibase-title-label">A <b>label</b></span>',
	$e->title->parse()
	);
	}
	--
	2.39.2

File Metadata

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 10902493
Default Alt Text: 0001-SECURITY-Escape-label-in-FederatedPropertiesError.patch (2 KB)

0001-SECURITY-Escape-label-in-FederatedPropertiesError.patchLucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))Actions

0001-SECURITY-Escape-label-in-FederatedPropertiesError.patchView Options

File Metadata

Event Timeline

0001-SECURITY-Escape-label-in-FederatedPropertiesError.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

0001-SECURITY-Escape-label-in-FederatedPropertiesError.patch
View Options