Page MenuHomePhabricator

Raw HTML message in RSS extension
Closed, ResolvedPublic

Description

In a parser tag hook:

			return wfMessage(
				'rss-error', htmlspecialchars( $input ), Status::wrap( $status )->getWikitext()
			)->text();

There's one more phan-taint-check-plugin warning that I can't tell if it's legit or not. I think I remember @Bawolff saying that reusing variables (like in RSSParser::renderFeed()) confuses the plugin.

<checkstyle version="6.5">
  <file name="./RSSHooks.php">
    <error line="86" severity="warning" message="Outputting user controlled HTML from Parser tag hook \RSSHooks::renderRss" source="SecurityCheck-XSS"/>
    <error line="95" severity="warning" message="Outputting user controlled HTML from Parser tag hook \RSSHooks::renderRss (Caused by: ./RSSParser.php +374; ./RSSParser.php +363; ./RSSParser.php +368)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>