Page MenuHomePhabricator
Create Task
Maniphest T8935

Limited HTML attribute Parser.php injection
Closed, ResolvedPublic
Actions

Description

Author: nickpj

Description:
Minor regression with r15976 parser updates.

Input Wiki text:

[[image:RFC 000]]

HTML Output (with line breaks added, and marker for injected stuff).

<a href="/wiki/index.php?title=Special:Upload&amp;wpDestFile=RFC_000"
class="new" title="Image:<a href="http://www.ietf.org/rfc/rfc000.txt"
class="external"

^^^^^^^^^^^^^ = injected

title="http://www.ietf.org/rfc/rfc000.txt">RFC 000</a>">Image:
<a href="http://www.ietf.org/rfc/rfc000.txt" class="external"

title="http://www.ietf.org/rfc/rfc000.txt">RFC 000</a></a>

Other very similar variants possible, e.g.:

[[image:ISBN PMID 000]]

All the best, Nick.

Version: 1.8.x
Severity: normal

Details

Reference
bz6935

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 9:17 PM
bzimport added a project: MediaWiki-Parser.
bzimport set Reference to bz6935.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Aug 7 2006, 1:06 AM
tstarling added a comment.Aug 12 2006, 6:14 AM

fixed in r16023

bzimport added a comment.Aug 14 2006, 12:08 AM

nickpj wrote:

Thank you!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL