Split from T120291#1850816:
Simply put <script>alert(1)</script> in a topic title.
Catrope | |
Dec 3 2015, 11:58 PM |
F3269135: Screen Shot 2016-01-22 at 7.07.32 AM.png | |
Jan 22 2016, 4:16 PM |
F3269143: Screen Shot 2016-01-22 at 7.39.47 AM.png | |
Jan 22 2016, 4:16 PM |
F3269146: Screen Shot 2016-01-22 at 7.57.07 AM.png | |
Jan 22 2016, 4:16 PM |
F3269141: Screen Shot 2016-01-22 at 7.35.49 AM.png | |
Jan 22 2016, 4:16 PM |
F3269138: Screen Shot 2016-01-22 at 7.32.32 AM.png | |
Jan 22 2016, 4:16 PM |
F3045670: Screenshot from 2015-12-03 14-59-57.png | |
Dec 3 2015, 11:58 PM |
F3045662: Screenshot from 2015-12-03 14-58-35.png | |
Dec 3 2015, 11:58 PM |
Split from T120291#1850816:
Simply put <script>alert(1)</script> in a topic title.
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Catrope | T120324 XSS in Flow topic titles | |||
Resolved | • Mattflaschen-WMF | T120291 wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications | |||
Resolved | • Mattflaschen-WMF | T129439 topic-title-plaintext content format to treat topic-title-wikitext as plain text |
Change 256858 had a related patch set uploaded (by Catrope):
[SECURITY] Escape HTML characters in topic titles
Change 256867 had a related patch set uploaded (by CSteipp):
Add warning comment on formatLinksInComment
Change 256858 merged by jenkins-bot:
[SECURITY] Escape HTML characters in topic titles
The issue is resolved, so I'm going to close this.
SBisson, if there are ways I can support the Collab team's QA process to make sure we don't have this happen again, let me know. Let's make that a followup phab task, if there's anything we can identify.
Checked in betalabs - title, reply, board description, summary look fine.
There is the same issue with displaying html in a topic title as in T119537: Links in Flow topic titles: html code displayed when page scrolls up
SBisson, if there are ways I can support the Collab team's QA process to make sure we don't have this happen again, let me know. Let's make that a followup phab task, if there's anything we can identify.
It's a good question. @Etonkovidova, our QA, might have some ideas.
Please review the following - any suggestions(follow-up bugs/more testing) are welcomed.
Tested on test.wikipedia.org
data | Flow topic titles | Echo flyout | Notification page |
<code></code> | plain text | as code text | as code text |
<script>alert(1)</script> | plain text | plain text | plain text |
<tt> | plain text | is not displayed | monospace; changes all text to monospace |
{{release}} | plain text | red link | red link |
<!--T:1--> | plain text | plain text | plain text |
<translate> | plain text | plain text | plain text |
Red links for templates and <code> text displayed on Notifications page and in Echo.
Monospace in Echo notifications
<tt> in a topic titles displayed on Notifications page changed all subsequent notification messages font to monospace (and, in fact, all page's fonts)
Thanks for testing. The *only* markup topic titles support are internal links ([[Earth]]) and media links ([[Media:Saturn.jpg]]).
That means all cells of that table should be plain text.
The red links for templates is only because the template didn't exist. If it did, it would render, which is also wrong (templates are not supported).
Some of this is T120291: wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications.
@Mattflaschen To clarify, did you re-open due to further security issues, or do you just have related concerns with title handling that do not have security implications.
If its for follow-up things that aren't security, could that be done in a separate bug?
I don't think any of the remaining parts are strictly security.
I'll use T120291: wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications and file a new bug if I find Flow itself displaying it wrong anywhere.