Users can insert any HTML into LQT thread subject and it will appear unescaped in the page history.
Version: master
Severity: normal
Users can insert any HTML into LQT thread subject and it will appear unescaped in the page history.
Version: master
Severity: normal
Confirmed the issue, and fix. We'll deploy that and add a note about this in the 1.21.2 release.
Looks like it got deployed:
<logmsgbot> !log csteipp synchronized php-1.22wmf14/extensions/LiquidThreads 'Fix bug53320'
<logmsgbot> !log csteipp synchronized php-1.22wmf13/extensions/LiquidThreads 'Fix bug53320'
CCing Werdna, who wrote this code in r58000.
Dauerwaldweg wrote:
Are there fixes for older MW/LQT-Versions available too? Could someone please give detailed information which versions are fixed and which not?
The main extension page of LQT is some how missleading to see whats done in the different branches.
The patch was only in master initially, but I just added patches for REL1_19, 20, and 21. Maybe someone can test and merge them?
(In reply to comment #6)
Does this mean LQT 2.x and 3.x?
I am not aware of any existing codebase called "LiquidThreads 3.x" so this applies to 2.x.
(In reply to comment #7)
(In reply to comment #6)
Does this mean LQT 2.x and 3.x?
I am not aware of any existing codebase called "LiquidThreads 3.x" so this
applies to 2.x.
Correct, the vulnerability was in the 2.x branch, which I think is the only reasonably support version of lqt. It may exist in 3.x, but since that code is pretty much abandoned, I don't think it's been checked.