Page MenuHomePhabricator
Create Task
Maniphest T35963

Missing escaping in search-as-you-type suggestions of Monobook skin
Closed, ResolvedPublic
Actions

Description

Author: Amalthea.wikimedia

Description:
Suggestion popup.

I have an alternate account named [User:Amalthea'"&lt] to test escaping issues in tools.
Using Monobook skin, when I type [User:Amalthea'] into the search input field, the search-as-you-type suggestion popup displays [User:Amalthea'"<].
I interpret this as my browser auto-correcting the broken entity [&lt] and displaying it as [<], which in turn means that the ampersand is not escaped properly when it's written into the suggestion popup.

Since page names are heavily sanitized I don't see a way that this can be exploited, but it should be fixed nonetheless.
Vector skin is behaving correctly.

Version: unspecified
Severity: minor

Attached:

search-as-you-type-missing-escaping.png (88×176 px, 4 KB)

Details

Reference
bz33963

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 12:07 AM
bzimport added a project: MediaWiki-JavaScript.
bzimport set Reference to bz33963.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jan 26 2012, 12:05 PM
TheDJ added a comment.Oct 24 2012, 11:55 AM

This seems fixed now...

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL