[WikibaseRepo] XSS: Labels shown in "In other languages" section of entity view are not escaped
Closed, ResolvedPublic

Description

Insert "<script>alert(1)</script>" in a label and when it's shown in the "In other languages" section, the script snippet is executed.


Version: master
Severity: normal

Details

Reference
bz53472
bzimport set Reference to bz53472.
bzimport added a subscriber: Unknown Object (MLST).
liangent created this task.Aug 28 2013, 1:01 PM

Created attachment 13188
Bugfix for the issue

Another less serious (can only be exploited by admins) XSS is address too.

Attached: bug53472.diff

Thanks Liangent! That looks like a reasonable fix. Let me do some testing on it, and we'll get it deployed asap.

Created attachment 13189
htmlspecialchars( Utils::fetchLanguageName( $language ) ) too

It looks better for me to htmlspecialchars( Utils::fetchLanguageName( $language ) ) too, though Utils::fetchLanguageName() has a fixed set of outputs currently.

Attached: bug53472.diff

Reviewed and tested by Aude too. Deployed.

18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/Wikibase
18:35 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/Wikibase

I'll add into gerrit too.

I can confirm this is fixed live.

Verified in Wikidata demo time

This was assigned CVE-2013-4307

Change 176610 had a related patch set (by Dereckson) published:
Extra language names configuration for Wikidata

https://gerrit.wikimedia.org/r/176610

Patch-For-Review

Change 176610 had a related patch set uploaded (by Dereckson):
Extra language names configuration for Wikidata

https://gerrit.wikimedia.org/r/176610

Patch-For-Review

Add Comment