Page MenuHomePhabricator
Files F62283726

0001-SECURITY-Escape-card-details.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

Authored By
Lucas_Werkmeister_WMDE
Jun 10 2025, 2:56 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Escape-card-details.patch
View Options

From 27a96656537f3f8189f395018e7f03546f64bebb Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
Date: Tue, 10 Jun 2025 16:11:24 +0200
Subject: [PATCH] SECURITY: Escape card details
The title and description are probably the most important, but the rest
seems prudent to escape too.
mw.html is part of the mediawiki.base module, so no new ResourceLoader
dependency should be necessary.
Bug: T396413
Change-Id: SECURITY-I18f98a31ba40ff244c6944e2f9e1c4bee1319abf
---
.../ext.relatedArticles.readMore/RelatedArticles.js | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/resources/ext.relatedArticles.readMore/RelatedArticles.js b/resources/ext.relatedArticles.readMore/RelatedArticles.js
index 997fabd0fa..c1209f32d5 100644
--- a/resources/ext.relatedArticles.readMore/RelatedArticles.js
+++ b/resources/ext.relatedArticles.readMore/RelatedArticles.js
@@ -14,20 +14,20 @@ const RelatedArticles = ( options ) => [
`<div class="read-more-container ${ ( options.isContainerSmall ) ? 'read-more-container-small' : 'read-more-container-large' }">`,
`<aside class="noprint">`,
( options.heading ) ?
- `<h2 class="read-more-container-heading">${ options.heading }</h2>` : ``,
+ `<h2 class="read-more-container-heading">${ mw.html.escape( options.heading ) }</h2>` : ``,
`<ul class="read-more-container-card-list">`,
- options.cards.map( ( card ) => `<li title="${ card.label }">
- <a href="${ card.url }" ${ options.clickEventName ? `data-event-name="${ options.clickEventName }"` : '' }><span class="cdx-card">
+ options.cards.map( ( card ) => `<li title="${ mw.html.escape( card.label ) }">
+ <a href="${ mw.html.escape( card.url ) }" ${ options.clickEventName ? `data-event-name="${ mw.html.escape( options.clickEventName ) }"` : '' }><span class="cdx-card">
<span class="cdx-card__thumbnail cdx-thumbnail">
${ ( card.thumbnail && card.thumbnail.url ) ?
- `<span class="cdx-thumbnail__image" style="background-image: url('${ card.thumbnail.url }')"></span>` :
+ `<span class="cdx-thumbnail__image" style="background-image: url('${ mw.html.escape( card.thumbnail.url ) }')"></span>` :
`<span class="cdx-thumbnail__placeholder">
<span class="cdx-thumbnail__placeholder__icon"></span>
</span>` }
</span>
<span class="cdx-card__text">
- <span class="cdx-card__text__title">${ card.label }</span>
- <span class="cdx-card__text__description">${ card.description }</span>
+ <span class="cdx-card__text__title">${ mw.html.escape( card.label ) }</span>
+ <span class="cdx-card__text__description">${ mw.html.escape( card.description ) }</span>
</span>
</a>
</li>` ).join( '\n' ),
--
2.49.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
20918242
Default Alt Text
0001-SECURITY-Escape-card-details.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits