CVE-2017-0365
SearchHighlighter::removeWiki() uses a regex to remove html from snippets. The regex - /<\/?[^>]+>/ assumes that html is well-formed. As a result when using SearchHighlighter::highlightText() as the highlighting method, this can result in an XSS. (Note it is not the default highlighting method. Additionally it is not in use on Wikimedia)
Steps to reproduce:
- Use default mysql search (i.e. Not cirrus)
- Set $wgAdvancedSearchHighlighting
- Create a page with the content <img onerror="alert(1)" src=x Cat Dog
- Search for Cat Dog
- This should cause the <img> tag in the search results, resulting in a pop-up box