have phan-taint-check look for the "help" key in HTMLForm specifiers
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Bawolff
	Sep 30 2023, 7:45 AM

Description

Currently MWVisitor::detectHTMLForm tries to do some checking of html form specifiers. It currently does not check the 'help' key. However, that key is raw html so we should add it.

Details

	Subject	Repo	Branch	Lines +/-
	MW: Detect tainted `help` HTMLForm property	mediawiki/tools/phan/SecurityCheckPlugin	master	+20 -3

Customize query in gerrit

Related Objects

Mentioned In: T347742: CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss

Event Timeline

Bawolff created this task.Sep 30 2023, 7:45 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 30 2023, 7:45 AM

Bawolff mentioned this in T347742: CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss.Sep 30 2023, 7:45 AM

Daimona claimed this task.Oct 3 2023, 8:05 PM

Change 963145 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan/SecurityCheckPlugin@master] MW: Detect tainted `help` HTMLForm property

https://gerrit.wikimedia.org/r/963145

gerritbot added a project: Patch-For-Review.Oct 3 2023, 8:14 PM

Daimona moved this task from Backlog to MediaWiki mode on the phan-taint-check-plugin board.Oct 3 2023, 8:25 PM

Change 963145 merged by jenkins-bot: