Page MenuHomePhabricator

[Security] Improve data attribute naming to avoid forge
Closed, ResolvedPublic

Description

Review of 631882e3779 of Newsletter extension (Jan 29, 2017)

For javascript taking stuff from data attributes - if the data attributes are not user controlled, use names starting with data-mw (e.g. instead of data-newsletter-id use data-mw-newsletter-id) unless you have a good reason not to. This prevents users from forging data attributes. In the context of this extension, it doesn't appear that user forging is an actual issue, however using the data-mw convention helps future proof things against any later changes where such an issue might be relavent.

Event Timeline

Change 340655 had a related patch set uploaded (by MtDu):
[mediawiki/extensions/Newsletter] Use data-mw-newsletter-id instead of data-newsletter-id

https://gerrit.wikimedia.org/r/340655

[rm tag security-review. That should only be on the parent bug requesting the security review]

Change 340655 merged by jenkins-bot:
[mediawiki/extensions/Newsletter@master] Use data-mw-newsletter-id instead of data-newsletter-id

https://gerrit.wikimedia.org/r/340655

01tonythomas claimed this task.
01tonythomas added a subscriber: Florian.

Thanks to @Florian, we have this merged \m/