If i have javascript in a wikibase description (e.g. <script>alert( 'hi' );</script>) and then search for it (or the item is nearby) then the javascript is injected instead of being escaped.
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
[SECURITY] Don't render wikidata description as HTML | mediawiki/extensions/MobileFrontend | master | +1 -1 |
Event Timeline
Reminder, the patch for this should not go into gerrit if this is a true XSS. It should be added as an attachment here.
to be clear, this happens in Special:Nearby and mobile search. (and probably watchlist) afaik, there are different/multiple code paths for these.
Wow. Seems that we just treat it as HTML and it's not clear why. Can Wikidata descriptions contain safe HTML e.g. <strong> tags?
No. Wikibase terms (labels, descriptions, and aliases) are plain text. They need escaping before they can be used in HTML (or even in wikitext, though that would just get confusing, not dangerous).
It will have to go to master via gerrit. If this was code in a release branch it will have to be in the next MW security release before being put into gerrit
The patch isn't in current MobileFrontend master. @csteipp is it safe to post it publically now?
I'm not sure how we're handling mobilefrontend-- @demon, do we want to wait for the next release, or should they just push this now?
It's not bundled, so I'd just push and announce it publicly for those using it.
Cool. So @Jdlrobson, merge in gerrit, close and make this task public, and send a message about it to wikitech-l (and maybe mediawiki-l). Can you or someone on your team handle that?
Email sent to wikitech-l and mobile-l - "MobileFrontend+Wikibase security patch"
@phuedx could you sign off?
I've verified that neither search nor the watchlist are affected on the Beta Cluster. I updated Q77282 and tested both features. However, it's hard to verify Special:Nearby as it's hitting the enwiki API rather than the local API.