Page MenuHomePhabricator
Create Task
Maniphest T22999

SelectCategoryTagCloud is not properly escaping tags
Closed, DeclinedPublic
Actions

Description

Author: fhidalgo

Description:
When we have one category with the char: ", extension broken html because, we print in function createTagCloud, in SelectCategoryTagCloud.body.php:

$currentRow = "<span title='" .wfMsg( 'selectcategory-tooltip' ). "' onclick='checkCategory(this)' class='" . $existingClass . $link_class . "' style='{$style}'>" . $title->getText() . "</span>&nbsp; ";

I have solved it, changed the line by:
$currentRow = "<span title='" .wfMsg( 'selectcategory-tooltip' ). "' onclick='checkCategory(this)' class='" . $existingClass . $link_class . "' style='{$style}'>" . str_replace('"','&quot;',$title->getText()) . "</span>&nbsp; ";

Regards!

Version: unspecified
Severity: major
URL: http://www.blobject.es

Details

Reference
bz20999

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:48 PM
bzimport added a project: MediaWiki-extensions-Other.
bzimport set Reference to bz20999.
bzimport created this task.Oct 5 2009, 10:18 AM
Catrope added a comment.Oct 5 2009, 10:36 AM

This is not a proper fix, you should use htmlspecialchars($title->getText()) instead.

MZMcBride added a comment.Nov 3 2011, 12:06 AM

I'm removing the "need-review" keyword. Roan reviewed the "patch" in comment 1. (I think the "patch" keyword is a bit silly here as well, but I'll leave it for now.)

(In reply to comment #1)

This is not a proper fix, you should use htmlspecialchars($title->getText())
instead.

I thought there was a MediaWiki-specific escape function that people used instead of htmlspecialchars. Maybe I'm thinking of something else?

bzimport added a comment.Jan 30 2012, 6:40 PM

sumanah wrote:

Adding "reviewed" keyword for clarity.

Hidabe, if you have time to revisit this issue, please stop into our chat channel, MediaWiki-General https://www.mediawiki.org/wiki/MediaWiki_on_IRC to discuss approach. Thanks!

Cboltz added a comment.Sep 22 2012, 6:28 PM

[Fixing the "Component" field - SelectCategoryTagCloud != SelectCategory]

Liuxinyu970226 set Security to None.Nov 28 2015, 12:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2015, 12:17 PM
Catrope unsubscribed.Jan 13 2016, 9:28 PM
Liuxinyu970226 subscribed.Feb 19 2019, 10:19 AM

Download link seems down, so it's fairly hard to debug that extension, archive it?

Dinoguy1000 mentioned this in T216654: Archive the SelectCategoryTagCloud extension.Feb 20 2019, 8:06 PM
Kizule closed this task as Declined.Feb 22 2019, 5:48 AM
Kizule subscribed.

Per T216654

Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptFeb 22 2019, 5:48 AM
Liuxinyu970226 added a comment.Feb 22 2019, 5:55 AM

@zoranzoki21 thx

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL