Page MenuHomePhabricator
Create Task
Maniphest T210603

Wikitext with HTML elements can mess the conflict resolution interface up
Closed, ResolvedPublic3 Story Points
Actions

Description

While investigating the user report from https://www.mediawiki.org/wiki/Topic:Upao2tuc1nk398ll, I accidentally found a possible HTML injection vector in the extension. We accidentally used rawElement instead of element in one place. The HTML that can be injected this way can not contain JavaScript, because it was already sanitized via the parser. But it can still mess up the conflict resolution interface.

Details

Related Gerrit Patches:
mediawiki/extensions/TwoColConflict : wmf/1.33.0-wmf.6Fix unescaped HTML injected into conflict resolution interface
mediawiki/extensions/TwoColConflict : masterFix unescaped HTML injected into conflict resolution interface

Related Objects

Event Timeline

gerritbot added a subscriber: gerritbot.Nov 28 2018, 1:29 PM

Change 476263 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476263

thiemowmde triaged this task as High priority.Nov 28 2018, 1:29 PM
thiemowmde moved this task from Sprint Backlog to Review on the WMDE-QWERTY-Sprint-2018-11-20 board.
WMDE-Fisch set the point value for this task to 2.Nov 28 2018, 3:22 PM
gerritbot added a comment.Nov 28 2018, 3:28 PM

Change 476263 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476263

WMDE-Fisch moved this task from Review to Demo on the WMDE-QWERTY-Sprint-2018-11-20 board.Nov 28 2018, 3:33 PM

Demo:
Before that patch, reverting a part of text including HTML would break the interface. Can still be reproduced on production.

WMDE-Fisch changed the point value for this task from 2 to 3.Nov 28 2018, 4:18 PM

Backport this to wmf.6

gerritbot added a comment.Nov 28 2018, 4:19 PM

Change 476300 had a related patch set uploaded (by WMDE-Fisch; owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476300

gerritbot added a comment.Nov 29 2018, 12:38 PM

Change 476300 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476300

WMDE-Fisch added a comment.Nov 29 2018, 12:50 PM

Live now on all wmf.6 wikis ( big wikipedia deploy will follow when train is finished today )

Lea_WMDE closed this task as Resolved.Dec 3 2018, 10:30 AM
Lea_WMDE moved this task from Demo to Done on the WMDE-QWERTY-Sprint-2018-11-20 board.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL