Page MenuHomePhabricator
Files F60244065

T394693.patch
Dreamy_Jazz (WBrown (WMF))
Actions

Authored By
Dreamy_Jazz
May 19 2025, 4:32 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T394693.patch
View Options

From c45d590e65017211c37673d19ffa103595668243 Mon Sep 17 00:00:00 2001
From: Dreamy Jazz <wpgbrown@wikimedia.org>
Date: Mon, 19 May 2025 17:14:17 +0100
Subject: [PATCH] SECURITY: Fix i18n XSS vector in Special:CheckUser
Why:
* Special:CheckUser has a frontend JS summary table that reads
usernames in the results from the 'data-username' property.
* This property is not properly HTML escaped in the associated
mustache files.
What:
* Properly escape the username in GetActionsLine.mustache and
GetUsersLine.mustache.
Bug: T394693
Change-Id: I159e14543912cb3bc7f4a00c3090c0285b154786
---
templates/GetActionsLine.mustache | 2 +-
templates/GetUsersLine.mustache | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/templates/GetActionsLine.mustache b/templates/GetActionsLine.mustache
index 10bae977..41ac98f1 100644
--- a/templates/GetActionsLine.mustache
+++ b/templates/GetActionsLine.mustache
@@ -5,7 +5,7 @@
{{/showLinks}}
{{timestamp}}
<span class="mw-changeslist-separator"></span>
- <span data-username="{{{userName}}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
+ <span data-username="{{userName}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
{{{userLink}}}
</span>
{{{userToolLinks}}}
diff --git a/templates/GetUsersLine.mustache b/templates/GetUsersLine.mustache
index c76eda33..718793fd 100644
--- a/templates/GetUsersLine.mustache
+++ b/templates/GetUsersLine.mustache
@@ -2,7 +2,7 @@
{{#canPerformBlocksOrLocks}}
<input type="checkbox" name="users[]" value="{{userText}}"/>
{{/canPerformBlocksOrLocks}}
- <span data-username="{{{userText}}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
+ <span data-username="{{userText}}" class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
{{{userLink}}}
</span>
{{{userToolLinks}}}
--
2.34.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
20164436
Default Alt Text
T394693.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits