Page MenuHomePhabricator

Raw html should be escaped before output in Newsletter pages
Closed, ResolvedPublic

Description

There's several places where we output directly from the db. It should be escaped before being output

Details

Related Gerrit Patches:
mediawiki/extensions/Newsletter : masterCleanup notification sent for new issues
mediawiki/extensions/Newsletter : masterEscape raw HTML from SpecialNewsletter
mediawiki/extensions/Newsletter : masterDo escaping before output on Newsletter special pages

Event Timeline

Glaisher created this task.Oct 23 2015, 2:46 PM
Glaisher raised the priority of this task from to High.
Glaisher updated the task description. (Show Details)
Glaisher added a subscriber: Glaisher.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 23 2015, 2:46 PM

Change 248361 had a related patch set uploaded (by Glaisher):
Do escaping before output on Newsletter special pages

https://gerrit.wikimedia.org/r/248361

Change 248361 merged by jenkins-bot:
Do escaping before output on Newsletter special pages

https://gerrit.wikimedia.org/r/248361

Change 250459 had a related patch set uploaded (by Glaisher):
Escape raw HTML from SpecialNewsletter

https://gerrit.wikimedia.org/r/250459

Change 250459 merged by jenkins-bot:
Escape raw HTML from SpecialNewsletter

https://gerrit.wikimedia.org/r/250459

@Glaisher, this one can be marked 'Resolved'? :)

@Glaisher, this one can be marked 'Resolved'? :)

Not yet. Someone needs to confirm that they don't see raw HTML anywhere.

Glaisher set Security to None.

Just noticed this so adding here so that I don't forget: Escape HTML in the notification too.

Change 255076 had a related patch set uploaded (by Glaisher):
Cleanup notification sent for new issues

https://gerrit.wikimedia.org/r/255076

Change 255076 merged by jenkins-bot:
Cleanup notification sent for new issues

https://gerrit.wikimedia.org/r/255076

Glaisher closed this task as Resolved.Dec 10 2015, 12:03 PM
Glaisher claimed this task.