Parameters descriptions allow raw HTML:
{ "params": { "1": { "description": "<a onclick=\"alert('XSS')\">Test</a>" } } }
The link is directly inserted in the description table, clicking on it executes the JavaScript script.
Ltrlg | |
Nov 15 2015, 10:03 AM |
F2976778: T118682.patch | |
Nov 19 2015, 8:42 PM |
F2966741: patch to fix escaping on templatedata | |
Nov 16 2015, 2:28 AM |
Parameters descriptions allow raw HTML:
{ "params": { "1": { "description": "<a onclick=\"alert('XSS')\">Test</a>" } } }
The link is directly inserted in the description table, clicking on it executes the JavaScript script.
I checked the rest of the getHtml() method for similar issues and found none.
The structure of the code that generates the table is a little hard to read.
It looks like 402d95ff6b27800ecbd38e7be1eea18006060752 changed that to be a rawElement.
Timo, can you look at @Bawolff's patch, and make sure it doesn't break something you were accounting for when you did that?
<Krinkle> csteipp: Looks good. Was not intended to be rawElement. I think an earlier version of that patch passed parameter and used escaped() and then one changed to text() but the other remained rawElement. Not relied upon.
LGTM
Re-deployed. I'm also going to publicize this momentarily.
[20:48] logmsgbot !log bawolff@tin Synchronized php-1.31.0-wmf.12/extensions/TemplateData/TemplateDataBlob.php: T118682 (duration: 00m 52s)
and