Page MenuHomePhabricator

Fix incorrect deserialization of HTML in MoodBar
Closed, ResolvedPublic


This is related to jQuery 1.9's change in how HTML is recognized by the $() function.

The locations are:

  • Apparent arbitrary HTML (probably XSS-safe, but not necessarily starting with <), from the API used in ext.moodBar.dashboard.js (245): Should use parseHTML
  • moodbar.tpl.type on 256 of ext.moodbar.core.js (line continuation), similar ones elsewhere in file (moodbar.tpl/mb.tpl in general). Strings in tpl start with newlines and space rather than <.

Event Timeline

Mattflaschen-WMF raised the priority of this task from to High.
Mattflaschen-WMF updated the task description. (Show Details)
Mattflaschen-WMF added subscribers: Aklapper, Unknown Object (MLST), greg and 6 others.
Krinkle removed a subscriber: Unknown Object (MLST).Dec 30 2014, 5:27 AM
gerritbot added a subscriber: gerritbot.

Change 187859 had a related patch set uploaded (by Mattflaschen):
Update HTML deserialization for jQuery 1.9 requirements


Change 187859 merged by jenkins-bot:
Update HTML deserialization for jQuery 1.9 requirements