Page MenuHomePhabricator

XSS in BreadCrumbs2
Closed, ResolvedPublicSecurity

Description

Found when doing security review for https://issue-tracker.miraheze.org/T12987

Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/BreadCrumbs2/+/98a156f34f13635a73193df245c569a9855328e2/BreadCrumbs2.class.php#124
Screenshot:

2024-12-12_11-56.png (988×1 px, 147 KB)

Reproduction steps:

  1. Install BreadCrumb2
  2. Set $wgAllowDisplayTitle to true and $wgRestrictDisplayTitle to false
  3. Save the following wikitext to a page:
{{DISPLAYTITLE: <span style="color: purple">meow&lt;&gt;&amp;'"</span> <script>alert(1)</script>}}
  1. Load said page

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Thanks for the patch, can you submit it to Gerrit?

Change #1102734 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/BreadCrumbs2@master] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102734

Change #1102737 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/BreadCrumbs2@REL1_42] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102737

Change #1102738 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/BreadCrumbs2@REL1_43] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102738

Change #1102734 merged by jenkins-bot:

[mediawiki/extensions/BreadCrumbs2@master] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102734

Change #1102738 merged by jenkins-bot:

[mediawiki/extensions/BreadCrumbs2@REL1_43] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102738

Change #1102737 merged by jenkins-bot:

[mediawiki/extensions/BreadCrumbs2@REL1_42] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102737

mmartorana changed Risk Rating from N/A to Medium.
sbassett triaged this task as Medium priority.Thu, Dec 19, 3:58 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".