Page MenuHomePhabricator

Extension:RSS shouldn't invent its own way to escape and parse things
Open, MediumPublic

Description

phan-taint-check-plugin claims there is an XSS issue in RSS, but I think it's simply unable to understand all the custom parsing/escaping that RSSParser.php is doing. I don't think there's any reason for it to re-invent the wheel either. For example the rationale for not using wfEscapeWikitext() is outdated/wrong.

Related:

Event Timeline

chasemp triaged this task as Medium priority.Dec 9 2019, 4:50 PM
chasemp added a project: Security-Team.