Page MenuHomePhabricator
Files F37854157

0001-Prevent-multiple-messages-from-causing-XSS.patch
Soda (Sohom Datta)
Actions

Authored By
Soda
Sep 29 2023, 8:13 PM
Size
6 KB
Referenced Files
None
Subscribers
None

0001-Prevent-multiple-messages-from-causing-XSS.patch
View Options

From b734fc1932ebda7c6786a4198dc70f907eea8379 Mon Sep 17 00:00:00 2001
From: Sohom <sohomdatta1+git@gmail.com>
Date: Fri, 29 Sep 2023 15:47:53 +0200
Subject: [PATCH] Prevent multiple messages from causing XSS
Bug: T347704
Change-Id: I0aa51ec486001fe136fc0b5364d456c2b48d94da
---
.../models/ext.pageTriage.article.js | 2 +-
.../ext.pageTriage.listControlNav.js | 43 +++++++++++--------
.../ext.pageTriage.listView.js | 2 +-
.../ext.pageTriage.views.toolbar/ToolView.js | 4 +-
.../articleInfo.js | 2 +-
5 files changed, 31 insertions(+), 22 deletions(-)
diff --git a/modules/ext.pageTriage.util/models/ext.pageTriage.article.js b/modules/ext.pageTriage.util/models/ext.pageTriage.article.js
index 578cd4d7..a5416053 100644
--- a/modules/ext.pageTriage.util/models/ext.pageTriage.article.js
+++ b/modules/ext.pageTriage.util/models/ext.pageTriage.article.js
@@ -107,7 +107,7 @@ const Article = Backbone.Model.extend( {
)
);
} else if ( article.get( 'creator_hidden' ) ) {
- article.set( 'author_byline_html', mw.msg( 'rev-deleted-user' ) );
+ article.set( 'author_byline_html', $( '<span>' ).text( mw.msg( 'rev-deleted-user' ) ).html() );
}
// Are there any PageTriage messages on the talk page?
diff --git a/modules/ext.pageTriage.views.list/ext.pageTriage.listControlNav.js b/modules/ext.pageTriage.views.list/ext.pageTriage.listControlNav.js
index ba3f2b94..75d89a4b 100644
--- a/modules/ext.pageTriage.views.list/ext.pageTriage.listControlNav.js
+++ b/modules/ext.pageTriage.views.list/ext.pageTriage.listControlNav.js
@@ -118,7 +118,7 @@ const ListControlNav = Backbone.View.extend( {
// make a reset button
$( '#mwe-pt-filter-reset-button' ).button( {
- label: mw.msg( 'pagetriage-filter-reset-button' )
+ label: $( '<span>' ).text( mw.msg( 'pagetriage-filter-reset-button' ) ).html()
} );
$( '#mwe-pt-filter-reset-button' ).on( 'click', function ( e ) {
that.model.setParams( that.model.defaultApiParams );
@@ -136,7 +136,7 @@ const ListControlNav = Backbone.View.extend( {
// make a submit button
$( '#mwe-pt-filter-set-button' ).button( {
- label: mw.msg( 'pagetriage-filter-set-button' )
+ label: $( '<span>' ).text( mw.msg( 'pagetriage-filter-set-button' ) ).html()
} );
$( '#mwe-pt-filter-set-button' ).on( 'click', function ( e ) {
that.filterSync();
@@ -798,14 +798,19 @@ const ListControlNav = Backbone.View.extend( {
* @return {string}
*/
getDateRangeFilterSectionHtml: function ( context ) {
- return '<span class="mwe-pt-control-label">' +
- '<b>' + mw.msg( 'pagetriage-filter-date-range-heading' ) + '</b>' +
- '</span>' +
- '<div class="mwe-pt-control-options">' +
- this.getDateRangeFilterFieldsHtml( context, 'from' ) +
- '</br>' +
- this.getDateRangeFilterFieldsHtml( context, 'to' ) +
- '</div>';
+ return $( '<span>' )
+ .attr( 'class', 'mwe-pt-control-label' )
+ .append(
+ $( '<b>' ).text( mw.msg( 'pagetriage-filter-date-range-heading' )
+ )
+ ).html() +
+ $( '<div>' )
+ .attr( 'class', 'mwe-pt-control-options' )
+ .append(
+ this.getDateRangeFilterFieldsHtml( context, 'from' ) +
+ '</br>' +
+ this.getDateRangeFilterFieldsHtml( context, 'to' )
+ ).html();
},
/**
@@ -816,14 +821,16 @@ const ListControlNav = Backbone.View.extend( {
* @return {string}
*/
getDateRangeFilterFieldsHtml: function ( context, dateRangeType ) {
- return '<label for="mwe-pt-filter-' + context + '-date-range-' + dateRangeType + '">' +
- // eslint-disable-next-line mediawiki/msg-doc
- mw.msg( 'pagetriage-filter-date-range-' + dateRangeType ) + ' ' +
- '</label>' +
- '<input type="date" name="mwe-pt-filter-' + context + '-date-range-' + dateRangeType + '"' +
- 'id="mwe-pt-filter-' + context + '-date-range-' + dateRangeType + '"' +
- 'class="mwe-pt-filter-date-range-' + dateRangeType + '"' +
- 'placeholder="' + mw.msg( 'pagetriage-filter-date-range-format-placeholder' ) + '"/>';
+ return $( '<label>' ).attr( 'for', 'mwe-pt-filter-' + context + '-date-range-' + dateRangeType )
+ .text( mw.msg( 'pagetriage-filter-date-range-' + dateRangeType ) + ' ' )
+ .html() +
+ $( '<input>' ).attr( {
+ type: 'date',
+ name: 'mwe-pt-filter-' + context + '-date-range-' + dateRangeType,
+ id: 'mwe-pt-filter-' + context + '-date-range-' + dateRangeType,
+ class: 'mwe-pt-filter-date-range-' + dateRangeType,
+ placeholder: mw.msg( 'pagetriage-filter-date-range-format-placeholder' )
+ } ).html();
}
} );
diff --git a/modules/ext.pageTriage.views.list/ext.pageTriage.listView.js b/modules/ext.pageTriage.views.list/ext.pageTriage.listView.js
index 803d29b4..eef7fdd3 100644
--- a/modules/ext.pageTriage.views.list/ext.pageTriage.listView.js
+++ b/modules/ext.pageTriage.views.list/ext.pageTriage.listView.js
@@ -180,7 +180,7 @@ const ListView = Backbone.View.extend( {
const pageInfo = view.render().el;
$( '#mwe-pt-list-view' ).append( pageInfo );
$( pageInfo ).find( '.mwe-pt-list-triage-button' ).show().button( {
- label: mw.msg( 'pagetriage-triage' ),
+ label: $( '<span>' ).text( mw.msg( 'pagetriage-triage' ) ).html(),
icons: { secondary: 'ui-icon-triangle-1-e' }
} );
},
diff --git a/modules/ext.pageTriage.views.toolbar/ToolView.js b/modules/ext.pageTriage.views.toolbar/ToolView.js
index f2544fec..4514c66c 100644
--- a/modules/ext.pageTriage.views.toolbar/ToolView.js
+++ b/modules/ext.pageTriage.views.toolbar/ToolView.js
@@ -282,7 +282,9 @@ module.exports = Backbone.View.extend( {
return $( '<div>' ).attr( 'id', this.id + '-search' )
.addClass( 'mwe-pt-tag-quicksearch' )
.append(
- mw.msg( 'pagetriage-tags-quickfilter-label' ) + ' ',
+ $( '<label>' )
+ .text( mw.msg( 'pagetriage-tags-quickfilter-label' ) )
+ .attr( 'for', this.id + '-search-text' ),
$( '<input>' )
.attr( { id: this.id + '-search-text',
type: 'text' } )
diff --git a/modules/ext.pageTriage.views.toolbar/articleInfo.js b/modules/ext.pageTriage.views.toolbar/articleInfo.js
index 28eef292..71cb4327 100644
--- a/modules/ext.pageTriage.views.toolbar/articleInfo.js
+++ b/modules/ext.pageTriage.views.toolbar/articleInfo.js
@@ -157,7 +157,7 @@ module.exports = ToolView.extend( {
'YYYYMMDDHHmmss'
).utcOffset( offset ).format(
mw.msg( 'pagetriage-info-timestamp-date-format' )
- ), mw.msg( 'rev-deleted-user' ) ) );
+ ), $( '<span>' ).text( mw.msg( 'rev-deleted-user' ) ) ).html() );
}
const stats = [
--
2.42.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11513687
Default Alt Text
0001-Prevent-multiple-messages-from-causing-XSS.patch (6 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits