User Details
- User Since
- Aug 19 2016, 4:36 PM (312 w, 6 d)
- Availability
- Available
- LDAP User
- Unknown
- MediaWiki User
- FO-nTTaX [ Global Accounts ]
Sep 16 2021
Jul 19 2021
Jan 26 2021
I've pulled this onto our wiki and as far as I can see it, it should be fine now. Again thank you for working on this :)
Jan 22 2021
No worries, sometimes things take time, and that's ok. Thank you for your work on this :)
Sep 21 2020
I added a call to error_log() like so
Sep 18 2020
At least in Firefox I am still seeing it. I've been wondering if I had a cached version of some script, but I've tried this on multiple PCs now
This change has broken compatibility with MediaWiki 1.31
[82208d4b3c9721c73b0185b9] /smash/Special:RunQuery/Match_history OOUI\Exception from line 31 of /path/to/wiki/vendor/oojs/oojs-ui/php/Theme.php: OOUI\Theme::singleton was called with no singleton theme set.
I pulled this version, but I can still recreate this with this url https://liquipedia.net/commons/Special:RunQuery/Find_images?pfRunQueryFormName=Find+images&Find+images[person]=%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E&Find+images[event]=&Find+images[date][day]=&Find+images[date][month]=&Find+images[date][year]=&Find+images[description]=&pf_free_text=&wpRunQuery=Run+query# (I use the git version now at 4ac1f9d4371974c823225da7273ddf2ce9b89dfd)
Aug 25 2020
Aug 21 2020
As far as I can see, there is still an issue here, as I can still create URL parameters that are XSS exploitable
Aug 20 2020
Hmm yeah I wanted to patch in a full replace there, but forgot that JavaScript does not replace all occurrences without using a regex.
Aug 12 2020
This wiki uses MW 1.31.8 and PF 4.9.5, but I can still get an alert from a URL parameter. Maybe I am missing something?
Aug 10 2020
I'm back, because I realized that your fix works in 1.34, but does not seem to work in 1.31.8.
Aug 3 2020
When going to https://sandbox.semantic-mediawiki.org/wiki/Sp%C3%A9cial:RunQuery/Tokens and putting <img/src=="x onerror=alert(1)//"> into the box, the code also gets executed.
Thank you for working on this. The patch you merged seems to fix the issue with passing it in as a url parameter, it seems to leave open the option of self XSS-ing by putting the string into the search box though. I don't know if this is something that is important to fix, but it mightbe nice.
Aug 2 2020
Mar 12 2019
The reason why I added Core is that there is no way to hook into this behaviour for all I could see in the relevant file, but I trust you to know what kind of tags are relevant.
Jul 1 2018
Jun 19 2018
Sep 20 2017
Ah thanks so much, I've spent too long looking at this so i guess I missed that T_T
Sep 19 2017
Yeah, the fact that it doesn't happen everytime is why i titled it as possible race condition. I don't use an adblocker/scriptblocker myself, so I can only speak about a non-adblocker state.
Sep 13 2017
Well, that line that i linked is the one the chrome developer tools gighlight for me as to where $.debounce is not a function.