While investigating the user report from https://www.mediawiki.org/wiki/Topic:Upao2tuc1nk398ll, I accidentally found a possible HTML injection vector in the extension. We accidentally used rawElement instead of element in one place. The HTML that can be injected this way can not contain JavaScript, because it was already sanitized via the parser. But it can still mess up the conflict resolution interface.
Description
Details
Related Objects
- Mentioned In
- rESCCacb5d9837a5d: Fix unescaped HTML injected into conflict resolution interface
rESCCcafc0cb16890: Fix unescaped HTML injected into conflict resolution interface
rESCC44a45653a183: Fix unescaped HTML injected into conflict resolution interface
rESCCda5b4930bcca: Fix unescaped HTML injected into conflict resolution interface
Event Timeline
Change 476263 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface
Change 476263 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface
Demo:
Before that patch, reverting a part of text including HTML would break the interface. Can still be reproduced on production.
Change 476300 had a related patch set uploaded (by WMDE-Fisch; owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface
SWAT booked for today 1 PM UTC+1 https://wikitech.wikimedia.org/w/index.php?title=Deployments&type=revision&diff=1809822&oldid=1809798
Change 476300 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface
Live now on all wmf.6 wikis ( big wikipedia deploy will follow when train is finished today )