- User Since
- Aug 19 2016, 4:36 PM (354 w, 15 h)
- LDAP User
- MediaWiki User
- FO-nTTaX [ Global Accounts ]
Nov 5 2022
I'll look into updating the Liquipedia extension next week, thanks for the ping.
Sep 16 2021
Jul 19 2021
Jan 26 2021
I've pulled this onto our wiki and as far as I can see it, it should be fine now. Again thank you for working on this :)
Jan 22 2021
No worries, sometimes things take time, and that's ok. Thank you for your work on this :)
Sep 21 2020
I added a call to error_log() like so
Sep 18 2020
At least in Firefox I am still seeing it. I've been wondering if I had a cached version of some script, but I've tried this on multiple PCs now
This change has broken compatibility with MediaWiki 1.31
[82208d4b3c9721c73b0185b9] /smash/Special:RunQuery/Match_history OOUI\Exception from line 31 of /path/to/wiki/vendor/oojs/oojs-ui/php/Theme.php: OOUI\Theme::singleton was called with no singleton theme set.
I pulled this version, but I can still recreate this with this url https://liquipedia.net/commons/Special:RunQuery/Find_images?pfRunQueryFormName=Find+images&Find+images[person]=%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E&Find+images[event]=&Find+images[date][day]=&Find+images[date][month]=&Find+images[date][year]=&Find+images[description]=&pf_free_text=&wpRunQuery=Run+query# (I use the git version now at 4ac1f9d4371974c823225da7273ddf2ce9b89dfd)
Aug 25 2020
Aug 21 2020
As far as I can see, there is still an issue here, as I can still create URL parameters that are XSS exploitable
Aug 20 2020
Aug 12 2020
This wiki uses MW 1.31.8 and PF 4.9.5, but I can still get an alert from a URL parameter. Maybe I am missing something?
Aug 10 2020
I'm back, because I realized that your fix works in 1.34, but does not seem to work in 1.31.8.
Aug 3 2020
When going to https://sandbox.semantic-mediawiki.org/wiki/Sp%C3%A9cial:RunQuery/Tokens and putting <img/src=="x onerror=alert(1)//"> into the box, the code also gets executed.
Thank you for working on this. The patch you merged seems to fix the issue with passing it in as a url parameter, it seems to leave open the option of self XSS-ing by putting the string into the search box though. I don't know if this is something that is important to fix, but it mightbe nice.
Aug 2 2020
Mar 12 2019
The reason why I added Core is that there is no way to hook into this behaviour for all I could see in the relevant file, but I trust you to know what kind of tags are relevant.
Jul 1 2018
Jun 19 2018
Sep 20 2017
Ah thanks so much, I've spent too long looking at this so i guess I missed that T_T
Sep 19 2017
Yeah, the fact that it doesn't happen everytime is why i titled it as possible race condition. I don't use an adblocker/scriptblocker myself, so I can only speak about a non-adblocker state.
Sep 13 2017
Well, that line that i linked is the one the chrome developer tools gighlight for me as to where $.debounce is not a function.