Not a big deal, but several of the wikieditor-toolbar- (E.g. wikieditor-toolbar-group-format, wikieditor-toolbar-help-heading-description, etc) group of messages are used as raw html. Since this is unnecessary, it would be nice if we could change this to not treat the messages as raw html.
|mediawiki/extensions/WikiEditor : master||Fork autoMsg() with escaped autoSafeMsg(), replace where appropriate|
|mediawiki/extensions/WikiEditor : master||Escape messages appropriately and not use raw html|
|mediawiki/extensions/WikiEditor : master||Convert raw html messages to normal messages|
Steps to reproduce:
- Open index.php?title=MediaWiki:Wikieditor-toolbar-help-heading-description&action=edit with an user which has the rights to edit this system message.
- Insert <i onmouseover="alert('JS injection')">Description</i>.
- Maybe clear any caches (Shift+Ctrl+R).
- Hover over the Description in the Help menu.
Note that this is likely partially intentional. The dialog config specifically uses the key: "htmlMsg" for these descriptions. That means that likely in some conditions it is expected to actually be HTML. Now getting rid of those expectations might be possible, but I suspect some of it is a bit complicated.
Finding the actual messages (see i18n/en.json) that have this problem should be the first step:
I think that none of the -description ones, actually require HTML (though there are ones with html entities in it that need to be re-encoded/rewritten).
The true purpose is probably the -result messages, which seem to give language specific preview renderings of wikicode syntax. These will need to be separated in the wikieditor logic and be handled separately from the -description and -syntax message. In theory you could replace them with HTML templates and then make those translatable. a bit more work than most cases of these raw html issues.