Page MenuHomePhabricator
Create Task
Maniphest T86723

Ensure html in data-mw can't be manipulated by attacker before being loaded on ContentTranslation
Closed, InvalidPublic
Actions

Description

Currently, this is prevented by checking the typeof attribute on the reference element, but if a wiki sets $wgAllowRdfaAttributes = true, this will no longer be effective.

Related Objects

Event Timeline

csteipp created this task.Jan 14 2015, 12:14 AM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp subscribed.
csteipp mentioned this in T85686: Content Translation Beta Feature security review.Jan 14 2015, 12:22 AM
Nikerabbit claimed this task.Jan 14 2015, 7:18 AM
Nikerabbit triaged this task as High priority.
Nikerabbit added projects: ContentTranslation, Language-Team.
Nikerabbit set Security to None.
Nikerabbit closed this task as Invalid.Jan 28 2015, 6:11 AM

Per private email conversations (sorry about that) this is in fact not an issue. Parsoid will prefix conflicting data and typeof attributes.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL