Page MenuHomePhabricator
Create Task
Maniphest T301564

DisamAssist user script: lack of escaping in page title link
Closed, ResolvedPublicBUG REPORT
Actions

Description

I found a string being output to the DOM without proper escaping in the DisamAssist user script (permalink) . This is almost a cross-site scripting (XSS) vulnerability, but is not exploitable due to the angle bracket characters <> not being available in the injection context.

I plan to fix this issue myself, but seeing as the script is in wide use and there are several different copies floating around on various different wikis, I am making this bug report to have a centralised place to discuss the issue. As it falls short of being an XSS issue, I am creating this as a normal task, not a security-protected task.

The issue is in lines 455-456 of the script.

			ui.pageTitleLine.html( txt.pageTitleLine.replace( '$1',
				mw.util.getUrl( currentPageTitle, {redirect: 'no'} ) ).replace( '$2', currentPageTitle ) );

The string being added to the DOM here looks like In <a href="$1">$2</a>: (this example is from the enwiki translation strings). The URL inserted in place of $1 is escaped properly, but the currentPageTitle variable inserted in place of $2 is not escaped. If an attacker could inject syntax like e.g. <img src="x" onerror="alert('XSS')" /> then they could run arbitrary JavaScript. However, the currentPageTitle variable comes from a list of page titles retrieved from the API, and page titles cannot contain angle brackets, meaning an attacker cannot create the necessary HTML tags to exploit this weakness.

The fix here is to escape the currentPageTitle variable with mw.html.escape as follows:

			ui.pageTitleLine.html( txt.pageTitleLine.replace( '$1',
				mw.util.getUrl( currentPageTitle, {redirect: 'no'} ) ).replace( '$2', mw.html.escape( currentPageTitle ) ) );

Event Timeline

MrStradivarius created this task.Feb 11 2022, 3:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 11 2022, 3:09 PM
MrStradivarius added a comment.Feb 11 2022, 3:12 PM

I found the following affected pages from global search:

es.wikipedia 	Usuario:Qwertyytrewqqwerty/DisamAssist-core.js
pt.wikipedia 	Usuário:Pedrassani/DisamAssist.js
zh.wikipedia 	User:94rain/DisamAssist-core.js
fa.wikipedia 	کاربر:Jeeputer/disamAssist-core.js
es.wikipedia 	Usuario:Qwertyytrewqqwerty/DisamAssist-dev.js
pt.wikipedia 	Usuário:Bageense/DisamAssist.js
pt.wikipedia 	Usuário(a):OS2Warp/DisamAssist.js
es.wikipedia 	Usuario:Grabado/Grabot/DisamAssist-core.js
pt.wikipedia 	Usuário(a):Jmvgpartner/DisamAssist-core.js
pt.wikipedia 	Usuário(a):Lijealso/DisamAssist.js
en.wikipedia 	User:Certes/DisamAssist-core.js
es.wikipedia 	Usuario:Grabado/DisamAssist-core.js
en.wikipedia 	User:David Condrey/editing/scripts.js
en.wikipedia 	User:Thumperward/DisamAssist-core.js
MrStradivarius added a comment.Feb 11 2022, 3:23 PM

I have now applied the fix to all of the above pages, so I am closing this issue.

MrStradivarius closed this task as Resolved.Feb 11 2022, 3:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits