Page MenuHomePhabricator

[Possible XSS vulnerability] HTML from messages rendered in Message group management - Translatewiki.net
Closed, ResolvedPublicSecurity

Description

Steps

  1. Import messages from repositories.
  2. Go to Message group management page on translatewiki.net.

Observation

If a message has HTML tags, it gets rendered. Note that it may be possible that this might be happening only for safe HTML tags.

Expected result

HTML tags should be escaped.

Event Timeline

Possibly related issue. After marking a message as renamed some of the content from the beginning of the message is missing.

Before marking as rename,

After marking as rename,

Dsharpe triaged this task as Medium priority.Jan 13 2020, 4:36 PM
Dsharpe added a subscriber: Dsharpe.

Triaged in Security team clinic on 13 Jan 2020.

I believe that the patch below addresses the XSS issue mentioned in the original patch, but does not handle the disappearing content mentioned in the previous comment.

Wondering if we should also add a fix here - https://github.com/wikimedia/mediawiki/blob/206e2fd72ded0582e77e2a9162bf2cf2f3096526/includes/diff/DifferenceEngine.php#L1027 to escape the output and allow only safe HTML?

Possibly related issue. After marking a message as renamed some of the content from the beginning of the message is missing.

Before marking as rename,

After marking as rename,

I think the above is intended behavior. The DifferenceEngine simply seems to be hiding some rows that are similar in order to reduce the size of the diff.

Patch looks fine, though ENT_QUOTES are not needed in this context. Changing the interface would be a breaking change and a lot of work imho.

Removed ENT_QUOTES.

Looks good. How about we deploy this as a local patch on translatewiki.net, and push to master before next MLEB release?

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 20 2020, 1:07 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Nikerabbit assigned this task to abi_.