Page MenuHomePhabricator

XSS in templatedata
Closed, ResolvedPublic

Description

Parameters descriptions allow raw HTML:

{
	"params": {
		"1": {
			"description": "<a onclick=\"alert('XSS')\">Test</a>"
		}
	}
}

The link is directly inserted in the description table, clicking on it executes the JavaScript script.

Event Timeline

Ltrlg raised the priority of this task from to Needs Triage.
Ltrlg updated the task description. (Show Details)
Ltrlg subscribed.
Ltrlg set Security to None.
Ltrlg updated the task description. (Show Details)
Ltrlg changed Security from None to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptNov 15 2015, 10:05 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Bawolff subscribed.

Confirmed, issue is present

I checked the rest of the getHtml() method for similar issues and found none.

The structure of the code that generates the table is a little hard to read.

It looks like 402d95ff6b27800ecbd38e7be1eea18006060752 changed that to be a rawElement.

Timo, can you look at @Bawolff's patch, and make sure it doesn't break something you were accounting for when you did that?

<Krinkle> csteipp: Looks good. Was not intended to be rawElement. I think an earlier version of that patch passed parameter and used escaped() and then one changed to text() but the other remained rawElement. Not relied upon.

(just prefixed the patch description with SECURITY to make it easy to see in git)

LGTM

csteipp claimed this task.

22:21 csteipp: deployed patch for T118682

Bawolff removed csteipp as the assignee of this task.

Not sure what happened, but this is present on mediawiki.org right now.

Re-deployed. I'm also going to publicize this momentarily.

[20:48]	logmsgbot	!log bawolff@tin Synchronized php-1.31.0-wmf.12/extensions/TemplateData/TemplateDataBlob.php: T118682 (duration: 00m 52s)

and

https://gerrit.wikimedia.org/r/#/c/398911/

Bawolff claimed this task.
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff changed the edit policy from "Custom Policy" to "All Users".
This comment was removed by Bawolff.