List of steps to reproduce (step by step, including full links if applicable):
- Be sure your wiki has files uploaded (non-pdfs)
- Go to [[MediaWiki:Widthheight]] and append "<script>alert('XSS widthheight');</script>"
- Go to index.php?title=Special:NewFiles&limit=2 and you will get the alerts
This is from ImageHandler::getDimensionsString and also includes "widthheightpage" for pdfs.
It affects all gallery which shows dimensions, that is not true for parser/wikitext.
The default depends on $wgGalleryOptions.
Categories with files are affected
Special:Uncategorizedimages and Special:Unusedimages and Special:Mostimages are affected.
A second case:
- Log in as sysop
- Go to Special:ListFiles and select a file with a 2 or higher in the Versions column
- In the file history click "(change visibility)" and you will get the alert.
For the second case the escaped is also missing for message "nbytes" in RevDelFileItem::getHTML
What happens?:
javascript alerts are shown.
What should have happened instead?:
No javascript alert should be shown. The script tag must be presented as visible text.
Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc: current master