Page MenuHomePhabricator

Wikitext with HTML elements can mess the conflict resolution interface up
Closed, ResolvedPublic3 Story Points

Description

While investigating the user report from https://www.mediawiki.org/wiki/Topic:Upao2tuc1nk398ll, I accidentally found a possible HTML injection vector in the extension. We accidentally used rawElement instead of element in one place. The HTML that can be injected this way can not contain JavaScript, because it was already sanitized via the parser. But it can still mess up the conflict resolution interface.

Details

Related Gerrit Patches:
mediawiki/extensions/TwoColConflict : wmf/1.33.0-wmf.6Fix unescaped HTML injected into conflict resolution interface
mediawiki/extensions/TwoColConflict : masterFix unescaped HTML injected into conflict resolution interface

Event Timeline

Change 476263 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476263

thiemowmde triaged this task as High priority.Nov 28 2018, 1:29 PM
thiemowmde moved this task from Sprint Backlog to Review on the WMDE-QWERTY-Sprint-2018-11-20 board.
WMDE-Fisch set the point value for this task to 2.Nov 28 2018, 3:22 PM

Change 476263 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476263

Demo:
Before that patch, reverting a part of text including HTML would break the interface. Can still be reproduced on production.

WMDE-Fisch changed the point value for this task from 2 to 3.Nov 28 2018, 4:18 PM

Backport this to wmf.6

Change 476300 had a related patch set uploaded (by WMDE-Fisch; owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476300

Change 476300 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476300

Live now on all wmf.6 wikis ( big wikipedia deploy will follow when train is finished today )

Lea_WMDE closed this task as Resolved.Dec 3 2018, 10:30 AM
Lea_WMDE moved this task from Demo to Done on the WMDE-QWERTY-Sprint-2018-11-20 board.