Page MenuHomePhabricator

Fix incorrect deserialization of HTML in MoodBar
Closed, ResolvedPublic

Description

This is related to jQuery 1.9's change in how HTML is recognized by the $() function.

The locations are:

  • Apparent arbitrary HTML (probably XSS-safe, but not necessarily starting with <), from the API used in ext.moodBar.dashboard.js (245): Should use parseHTML
  • moodbar.tpl.type on 256 of ext.moodbar.core.js (line continuation), similar ones elsewhere in file (moodbar.tpl/mb.tpl in general). Strings in tpl start with newlines and space rather than <.

Event Timeline

Mattflaschen-WMF raised the priority of this task from to High.
Mattflaschen-WMF updated the task description. (Show Details)
Mattflaschen-WMF added subscribers: Aklapper, Unknown Object (MLST), greg and 6 others.
Mattflaschen-WMF set Security to None.
Krinkle removed a subscriber: Unknown Object (MLST).Dec 30 2014, 5:27 AM
Krinkle removed a subscriber: Krinkle.Jan 17 2015, 1:38 AM
gerritbot added a subscriber: gerritbot.

Change 187859 had a related patch set uploaded (by Mattflaschen):
Update HTML deserialization for jQuery 1.9 requirements

https://gerrit.wikimedia.org/r/187859

Patch-For-Review

Nemo_bis removed a subscriber: Nemo_bis.Feb 1 2015, 3:37 PM

Change 187859 merged by jenkins-bot:
Update HTML deserialization for jQuery 1.9 requirements

https://gerrit.wikimedia.org/r/187859

DannyH closed this task as Resolved.Feb 3 2015, 11:57 PM
DannyH added a subscriber: DannyH.