Page MenuHomePhabricator
Files F60244318

T394700.patch
Dreamy_Jazz (WBrown (WMF))
Actions

Authored By
Dreamy_Jazz
May 19 2025, 4:36 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T394700.patch
View Options

From f5593ae3a90a81e5ffe401b0f1f68f4aea2de6e5 Mon Sep 17 00:00:00 2001
From: Dreamy Jazz <wpgbrown@wikimedia.org>
Date: Mon, 19 May 2025 17:34:03 +0100
Subject: [PATCH] SECURITY: Fix i18n XSS in PreliminaryCheckPager
Why:
* Special:Investigate has an 'Account information' tab which is
currently vulnerable to i18n XSS through the
'checkuser-investigate-preliminary-table-cell-wiki-nowiki'
and 'rev-deleted-user'.
* These vectors should be fixed.
What:
* Properly escape the above noted messages in PreliminaryCheckPager
Bug: T394700
Change-Id: I777fc55fef15c3b00df0db268af2b64cb2d6e381
---
src/Investigate/Pagers/PreliminaryCheckPager.php | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/Investigate/Pagers/PreliminaryCheckPager.php b/src/Investigate/Pagers/PreliminaryCheckPager.php
index 789c7cc5..e19dde20 100644
--- a/src/Investigate/Pagers/PreliminaryCheckPager.php
+++ b/src/Investigate/Pagers/PreliminaryCheckPager.php
@@ -139,7 +139,7 @@ class PreliminaryCheckPager extends TablePager {
case 'name':
// Hide the username if it is hidden from the current authority.
if ( $userIsHidden ) {
- $formatted = $this->msg( 'rev-deleted-user' )->text();
+ $formatted = $this->msg( 'rev-deleted-user' )->escaped();
} else {
$formatted = htmlspecialchars( $value );
}
@@ -164,7 +164,7 @@ class PreliminaryCheckPager extends TablePager {
$wiki->getDisplayName()
);
} else {
- $formatted = $this->msg( 'checkuser-investigate-preliminary-table-cell-wiki-nowiki' )->text();
+ $formatted = $this->msg( 'checkuser-investigate-preliminary-table-cell-wiki-nowiki' )->escaped();
}
break;
case 'editcount':
--
2.34.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
20164558
Default Alt Text
T394700.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits