Page MenuHomePhabricator
Files F37129609

0001-SECURITY-Fix-messages-in-CitoidPendingDialog.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

Authored By
Lucas_Werkmeister_WMDE
Jul 5 2023, 12:57 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Fix-messages-in-CitoidPendingDialog.patch
View Options

From 8691a4879c7435ddb53bbda6b2ca6abca3235a81 Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
Date: Wed, 5 Jul 2023 14:56:02 +0200
Subject: [PATCH] SECURITY: Fix messages in CitoidPendingDialog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As far as I understand, we don’t need deferMsg() here – we’re in a
normal ResourceLoader module, our messages should be available by the
time our code runs. But also, normal mw.msg() is not safe for being
appended into jQuery directly. Let’s use the text option of PanelLayout
instead, which escapes the text for us.
Bug: T340200
Change-Id: I570e00e45f8a36fbf2b26db9610fa0a702a28f67
---
modules/wikibase/wb.CitoidPendingDialog.js | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/modules/wikibase/wb.CitoidPendingDialog.js b/modules/wikibase/wb.CitoidPendingDialog.js
index 027dfd3d99..682f8d5c27 100644
--- a/modules/wikibase/wb.CitoidPendingDialog.js
+++ b/modules/wikibase/wb.CitoidPendingDialog.js
@@ -19,10 +19,16 @@
CitoidPendingDialog.prototype.initialize = function () {
CitoidPendingDialog.super.prototype.initialize.apply( this, arguments );
- this.waitingPanel = new OO.ui.PanelLayout( { padded: true, expanded: false } );
- this.waitingPanel.$element.append( OO.ui.deferMsg( 'citoid-wb-pendingdialog-message' ) );
- this.errorPanel = new OO.ui.PanelLayout( { padded: true, expanded: false } );
- this.errorPanel.$element.append( OO.ui.deferMsg( 'citoid-wb-pendingdialog-error' ) );
+ this.waitingPanel = new OO.ui.PanelLayout( {
+ padded: true,
+ expanded: false,
+ text: mw.msg( 'citoid-wb-pendingdialog-message' )
+ } );
+ this.errorPanel = new OO.ui.PanelLayout( {
+ padded: true,
+ expanded: false,
+ text: mw.msg( 'citoid-wb-pendingdialog-error' )
+ } );
this.stackLayout = new OO.ui.StackLayout( {
items: [ this.waitingPanel, this.errorPanel ]
--
2.39.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10916197
Default Alt Text
0001-SECURITY-Fix-messages-in-CitoidPendingDialog.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL