The WikiCategoryTagCloud extension is vulnerable to reflected XSS by abusing the linkstyle attribute.
Reproduction steps:
- Enable the WikiCategoryTagCloud extension
- Enter the following code into Special:ExpandTemplates (or go to /wiki/Special:ExpandTemplates?wpInput=%7B%7B%23tag%3A%20tagcloud%0A%7C%0A%7Clinkstyle%3D%22%22onmouseenter%3D%22alert%28%27hi%20%3AD%27%29%22%22%0A%7D%7D%0A:
{{#tag: tagcloud
|
|linkstyle=""onmouseenter="alert('hi :D')""
}}- Hover over any of the links in the category cloud
Cause:
$style (which is $linkstyle concatenated with additional inline css) is concatenated with HTML code: https://github.com/wikimedia/mediawiki-extensions-WikiCategoryTagCloud/blob/d6755701460e80f1787ef9df65cba7e3e862809f/includes/WikiCategoryTagCloud.php#L196
$linkstyle is checked using Sanitizer::checkCss (which only searches for a few css functions like url()), but nothing is escaped. While inserting tags is not possible since it seems that entering < or > into the {{#tag: parser function escapes these symbols, quotes can be used to add additional attributes like onmouseenter to the links, allowing JavaScript execution.
The author of this code might have assumed that quotes cannot inserted into parameters used in extension tags, since those are usually submitted via attributes, but this can be bypassed using the {{#tag: parser function, which allows quotes to be inserted.
$cloudStyle meanwhile cannot be abused for this since it is properly inserted into the HTML as an attribute using Html::openElement instead of string concatenation.
Further information
Tested on
- MediaWiki 1.43.0 (d7861af)
- MediaWiki 1.45.0-alpha (9a13b9e) (required adding imports for a few namespaced classes to get the extension to run without an error)
PHP: 8.3.14 (fpm-fcgi)
Browser: Firefox 138.0.3 (64-bit) on Fedora Linux 42
WikiCategoryTagCloud: 1.5 (d675570)