There's several places where we output directly from the db. It should be escaped before being output
Description
Description
Details
Details
Customize query in gerrit
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Duplicate | Qgil | T125545 Phabricator Q&A session for Community Liaisons | |||
Resolved | Qgil | T116025 Goal: Align Community Liaison and Developer Relations project management practices | |||
Resolved | Qgil | T119387 Community Liaison and Developer Relation quarterly goals for January - March 2016 | |||
Declined | None | T104131 Exporting existing newsletter to the Newsletter extension | |||
Resolved | Addshore | T110170 Goal: Deploy Newsletter extension in Wikimedia | |||
Duplicate | None | T115098 Deploy Newsletter extension in beta cluster | |||
Resolved | ori | T127297 Add the Newsletter extension to the Beta Cluster | |||
Resolved | Bawolff | T115095 Security review of Newsletter extension | |||
Resolved | Glaisher | T116382 Raw html should be escaped before output in Newsletter pages |
Event Timeline
Comment Actions
Change 248361 had a related patch set uploaded (by Glaisher):
Do escaping before output on Newsletter special pages
Comment Actions
Change 248361 merged by jenkins-bot:
Do escaping before output on Newsletter special pages
Comment Actions
Change 250459 had a related patch set uploaded (by Glaisher):
Escape raw HTML from SpecialNewsletter
Comment Actions
Just noticed this so adding here so that I don't forget: Escape HTML in the notification too.
Comment Actions
Change 255076 had a related patch set uploaded (by Glaisher):
Cleanup notification sent for new issues