Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F65943398
T403289.patch
STran (STran)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
STran
Sep 1 2025, 12:31 PM
2025-09-01 12:31:32 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T403289.patch
View Options
From 91c859716339f9d1e1b33cfda49d29c8dfdb46b7 Mon Sep 17 00:00:00 2001
From: STran <stran@wikimedia.org>
Date: Mon, 1 Sep 2025 05:25:27 -0700
Subject: [PATCH] SECURITY: Escape XSS vector in UserInfoCard
What:
- Escape messages generated in CheckUserUserInfoCardService for groups
(local and global) before they're returned to the front-end
Bug: T403289
Change-Id: Iacd0287259cb250ea7c32fbfc1365b89b263e576
---
src/Services/CheckUserUserInfoCardService.php | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/Services/CheckUserUserInfoCardService.php b/src/Services/CheckUserUserInfoCardService.php
index 8bb6c39f..0f555825 100644
--- a/src/Services/CheckUserUserInfoCardService.php
+++ b/src/Services/CheckUserUserInfoCardService.php
@@ -138,14 +138,14 @@ class CheckUserUserInfoCardService {
$groupMessages = [];
foreach ( $groups as $group ) {
if ( $this->messageLocalizer->msg( "group-$group" )->exists() ) {
- $groupMessages[] = $this->messageLocalizer->msg( "group-$group" )->text();
+ $groupMessages[] = $this->messageLocalizer->msg( "group-$group" )->escaped();
}
}
$userInfo['groups'] = '';
if ( $groupMessages ) {
$userInfo['groups'] = $this->messageLocalizer->msg( 'checkuser-userinfocard-groups' )
->params( Message::listParam( $groupMessages, ListType::COMMA ) )
- ->text();
+ ->parse();
}
if ( !isset( $userInfo['totalEditCount'] ) ) {
@@ -169,14 +169,14 @@ class CheckUserUserInfoCardService {
foreach ( $globalGroups as $group ) {
if ( $this->messageLocalizer->msg( "group-$group" )->exists() ) {
$globalGroupMessages[] = $this->messageLocalizer->msg( "group-$group" )
- ->text();
+ ->escaped();
}
}
$userInfo['globalGroups'] = '';
if ( $globalGroupMessages ) {
$userInfo['globalGroups'] = $this->messageLocalizer->msg( 'checkuser-userinfocard-global-groups' )
->params( Message::listParam( $globalGroupMessages, ListType::COMMA ) )
- ->text();
+ ->parse();
}
if ( $centralAuthUser->isLocked() ) {
--
2.48.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
21747208
Default Alt Text
T403289.patch (2 KB)
Attached To
Mode
T403289: CVE-2025-61650: UserInfoCard is vulnerable to message key stored XSS
Attached
Detach File
Event Timeline
Log In to Comment