Steps to replicate the issue (include links if applicable):
Original steps
In CU get users tab I selected the checkboxes for accounts named Aée"a"zaEFZgrtsgewr, Aée"a"zaEFZ and Aée"a"za among others, entered a reason for blocking them and hit the block button.
Steps for the larger issue behind this
- Register an account with the username Test" onclick="alert('test');"
- Log into an account that can access CheckUser
- Run 'Get IP Addresses' on the account created in step 1
- Click on an IP shown in the results
- Run 'Get users' on that IP
- Click the checkbox for the user created in step 1
What happens?:
Original
The three named accounts were not blocked, the other accounts without accentuated letters were successfully blocked.
For the wider issue
An alert box is displayed showing that HTML injection can occur, including JS injection.
What should have happened instead?:
Original
All selected accounts should've been blocked.
For the wider issue
The username should have been properly escaped.
Software version (skip for WMF-hosted wikis like Wikipedia):
WMF Production. Meta-Wiki.
Also on a localhost testing wiki
Other information (browser name/version, screenshots, etc.):
I've manually blocked the accounts myself.
Selecting them to use Special:MultiLock breaks too. I suspect this is the quotes " in their usernames.