Page MenuHomePhabricator
Files F58432766

T386908.patch
BlankEclair (Claire Elaina)
Actions

Authored By
BlankEclair
Feb 20 2025, 10:14 AM
Size
3 KB
Referenced Files
None
Subscribers
None

T386908.patch
View Options

From befb6475dd2943db3d52965d8fa40fa834576c5d Mon Sep 17 00:00:00 2001
From: BlankEclair <blankeclair@disroot.org>
Date: Thu, 20 Feb 2025 21:13:18 +1100
Subject: [PATCH] SECURITY: Fix various XSSes
Bug: T386908
Change-Id: I86f47103ffb78c671890b44ccd59fcff6613975f
---
includes/business/AccountConfirmSubmission.php | 4 ++--
includes/business/AccountRequestSubmission.php | 4 ++--
.../frontend/specialpages/actions/ConfirmAccount_body.php | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/includes/business/AccountConfirmSubmission.php b/includes/business/AccountConfirmSubmission.php
index d9ceffb..d71ab72 100644
--- a/includes/business/AccountConfirmSubmission.php
+++ b/includes/business/AccountConfirmSubmission.php
@@ -124,7 +124,7 @@ class AccountConfirmSubmission {
'accountconf_mailerror',
$context->msg( 'mailerror' )->rawParams(
$context->getOutput()->parseAsInterface( $result->getWikiText() )
- )->text(),
+ )->escaped(),
null
];
}
@@ -183,7 +183,7 @@ class AccountConfirmSubmission {
'accountconf_mailerror',
$context->msg( 'mailerror' )->rawParams(
$context->getOutput()->parseAsInterface( $result->getWikiText() )
- )->text(),
+ )->escaped(),
null
];
}
diff --git a/includes/business/AccountRequestSubmission.php b/includes/business/AccountRequestSubmission.php
index c6bc137..24f1b76 100644
--- a/includes/business/AccountRequestSubmission.php
+++ b/includes/business/AccountRequestSubmission.php
@@ -118,7 +118,7 @@ class AccountRequestSubmission {
if ( $value > $wgAccountRequestThrottle ) {
return [
'accountreq_throttled',
- $context->msg( 'acct_request_throttle_hit', $wgAccountRequestThrottle )->text()
+ $context->msg( 'acct_request_throttle_hit', $wgAccountRequestThrottle )->escaped()
];
}
}
@@ -143,7 +143,7 @@ class AccountRequestSubmission {
return [
'acct_request_short_bio',
- $context->msg( 'requestaccount-tooshort' )->numParams( $minWords )->text()
+ $context->msg( 'requestaccount-tooshort' )->numParams( $minWords )->escaped()
];
}
# Per security reasons, file dir cannot be pulled from client,
diff --git a/includes/frontend/specialpages/actions/ConfirmAccount_body.php b/includes/frontend/specialpages/actions/ConfirmAccount_body.php
index 7c2fa43..f06ef04 100644
--- a/includes/frontend/specialpages/actions/ConfirmAccount_body.php
+++ b/includes/frontend/specialpages/actions/ConfirmAccount_body.php
@@ -256,7 +256,7 @@ class ConfirmAccountsPage extends SpecialPage {
// Give grep a chance to find the usages: confirmaccount-type-0, confirmaccount-type-1
$out->addHTML( "<li><i>" . $this->msg( "confirmaccount-type-$i" )->escaped() . "</i>" );
- $out->addHTML( $this->msg( 'word-separator' )->plain() );
+ $out->addHTML( $this->msg( 'word-separator' )->escaped() );
$params = $this->getLanguage()->pipeList( [ $open, $held, $rejects, $stale ] );
$out->addHTML( $this->msg( 'parentheses' )->rawParams( $params )->escaped() );
$out->addHTML( '</li>' );
--
2.48.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
19280524
Default Alt Text
T386908.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits