Page MenuHomePhabricator
Create Task
Maniphest T201108

Raw HTML message in RSS extension
Closed, ResolvedPublic
Actions

Description

In a parser tag hook:

			return wfMessage(
				'rss-error', htmlspecialchars( $input ), Status::wrap( $status )->getWikitext()
			)->text();

There's one more phan-taint-check-plugin warning that I can't tell if it's legit or not. I think I remember @Bawolff saying that reusing variables (like in RSSParser::renderFeed()) confuses the plugin.

<checkstyle version="6.5">
  <file name="./RSSHooks.php">
    <error line="86" severity="warning" message="Outputting user controlled HTML from Parser tag hook \RSSHooks::renderRss" source="SecurityCheck-XSS"/>
    <error line="95" severity="warning" message="Outputting user controlled HTML from Parser tag hook \RSSHooks::renderRss (Caused by: ./RSSParser.php +374; ./RSSParser.php +363; ./RSSParser.php +368)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/RSSmaster+1 -1Escape error messages used as html
Customize query in gerrit

Related Objects

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL