Page MenuHomePhabricator
Files F9904016

T176176.patch
MaxSem (Max Semenik)
Actions

Authored By
MaxSem
Sep 29 2017, 11:59 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T176176.patch
View Options

From 452e1b8ecdb69ba3f51faf3998d45bf56a27cf7e Mon Sep 17 00:00:00 2001
From: Max Semenik <maxsem.wiki@gmail.com>
Date: Fri, 29 Sep 2017 16:50:55 -0700
Subject: [PATCH] SECURITY: Escape { and } in attributes
This prevents them from being messed with by language converter.
Otherwise, with primary $wgFragmentMode set to HTML5, it's possible
to alter HTML by inserting conversion syntax -{|}- into wikilink
fragments on wikis with language conversion enabled.
Sanitizer already does the same with attributes for elements present
in wikitext.
Bug: T176176
Change-Id: I1304024654da66438a7f095d5e2e2b8b492351a2
---
includes/Html.php | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/includes/Html.php b/includes/Html.php
index 8fe4dbe513..7bf7477623 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -563,7 +563,10 @@ class Html {
"<" => '&lt;',
"\n" => '&#10;',
"\r" => '&#13;',
- "\t" => '&#9;'
+ "\t" => '&#9;',
+ // T176176: prevent attributes from interacting with language converter
+ '{' => '&#123;',
+ '}' => '&#125;',
];
$ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
}
--
2.14.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4968601
Default Alt Text
T176176.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits