| abi_ | |
| Jan 7 2020, 3:10 PM |
| F31606715: T242115-2.patch | |
| Feb 10 2020, 10:10 AM |
| F31553706: T242115.patch | |
| Feb 7 2020, 11:24 AM |
| F31506385: image.png | |
| Jan 9 2020, 6:48 PM |
| F31506383: image.png | |
| Jan 9 2020, 6:48 PM |
| F31503584: html-mmg-xss.png | |
| Jan 7 2020, 3:10 PM |
If a message has HTML tags, it gets rendered. Note that it may be possible that this might be happening only for safe HTML tags.
HTML tags should be escaped.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | KartikMistry | T249694 Release MLEB 2020.04 | |||
| Resolved | Security | abi_ | T242115 [Possible XSS vulnerability] HTML from messages rendered in Message group management - Translatewiki.net |
Possibly related issue. After marking a message as renamed some of the content from the beginning of the message is missing.
Before marking as rename,
After marking as rename,
I believe that the patch below addresses the XSS issue mentioned in the original patch, but does not handle the disappearing content mentioned in the previous comment.
Wondering if we should also add a fix here - https://github.com/wikimedia/mediawiki/blob/206e2fd72ded0582e77e2a9162bf2cf2f3096526/includes/diff/DifferenceEngine.php#L1027 to escape the output and allow only safe HTML?
Possibly related issue. After marking a message as renamed some of the content from the beginning of the message is missing.
Before marking as rename,
After marking as rename,
I think the above is intended behavior. The DifferenceEngine simply seems to be hiding some rows that are similar in order to reduce the size of the diff.
Patch looks fine, though ENT_QUOTES are not needed in this context. Changing the interface would be a breaking change and a lot of work imho.
Looks good. How about we deploy this as a local patch on translatewiki.net, and push to master before next MLEB release?