Page MenuHomePhabricator

Prefer Message::parse() or ::escape() over Message::text()
Closed, ResolvedPublic

Description

Follow-up from the security readiness review (T227346).

While no i18n messages came back with any potentially dangerous html, it is an attack vector we've seen attempted before (happy to provide more details off-Phab). So while using ->text() in SpecialSuggestedTags.php (line 31) and MachineVisionEntitySaveException.php (line 19) should be fine, I think we'd recommend using ->parse() or ->escaped() instead, if possible. This would also be true for instances of mw.message().text() within various JavaScript widget files.

Details

Related Gerrit Patches:

Event Timeline

Mholloway created this task.Nov 5 2019, 3:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2019, 3:03 PM
Mholloway renamed this task from Prefer Message::parse() or::escape() over Message::text() to Prefer Message::parse() or ::escape() over Message::text().Nov 5 2019, 3:04 PM
JoeWalsh triaged this task as Medium priority.Nov 6 2019, 4:34 PM

Change 551641 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@master] Use parse(), not text(), when getting message strings for display

https://gerrit.wikimedia.org/r/551641

Change 551641 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] Use parse(), not text(), when getting message strings for display

https://gerrit.wikimedia.org/r/551641

Mholloway closed this task as Resolved.Nov 21 2019, 3:35 PM