Top-level menu entries from MediaWiki:Sidebar are not properly escaped in the MediaWiki-skins-GuMaxDD skin, resulting in classic stored XSS.
Minimal test case:
- As an (interface) administrator or other similarly privileged (editinterface) user, create a top level menu entry "named" "><script>alert('XSS')</script> in MediaWiki:Sidebar
- Load a page with the GuMaxDD skin
Expected result:
No alert.
Actual result:
The alertruns not once but twice (!).
Proposed & tested patch:
diff --git a/GuMaxDD.skin.php b/GuMaxDD.skin.php index 52c4997..d9bfa89 100644 --- a/GuMaxDD.skin.php +++ b/GuMaxDD.skin.php @@ -302,7 +302,7 @@ class GuMaxDDTemplate extends BaseTemplate { default: $out = $skin->msg( $bar ); if ( $out->isDisabled() ) { - $txtOut = $bar; + $txtOut = htmlspecialchars( $bar, ENT_QUOTES ); } else { $txtOut = $out->escaped(); } @@ -315,7 +315,7 @@ class GuMaxDDTemplate extends BaseTemplate { // "in other languages" menu on NS_SPECIAL and that'd be ugly. if ( $txtOut && !( $isSpecial && $bar === 'LANGUAGES' ) ) { ?> - <li><a class="gumax-nav-heading gumax-nav-heading-<?php echo mb_strtolower( Sanitizer::escapeIdForAttribute( $bar ) ) ?>" href="#"><?php echo $txtOut; ?> »</a> + <li><a class="gumax-nav-heading gumax-nav-heading-<?php echo mb_strtolower( htmlspecialchars( Sanitizer::escapeIdForAttribute( $bar ), ENT_QUOTES ) ) ?>" href="#"><?php echo $txtOut; ?> »</a> <?php # XXX JaTu fix if ( $bar == 'SEARCH' ) { ?>