HomePhabricator

SECURITY: Add edit token to Special:ExpandTemplates

Description

SECURITY: Add edit token to Special:ExpandTemplates

On wikis that allow raw HTML, it is not safe to preview wikitext coming from
an untrusted source such as a cross-site request. Thus add an edit token to
the form, and when raw HTML is allowed, ensure the token is provided before
showing the preview.

Unfortunately, MediaWiki does not currently provide logged-out users with
CSRF protection; in that case, do not show the preview unless anonymous
editing is allowed (such wikis have been, and are still, vulnerable).

Backported from MediaWiki 1.23 (c1d6638704e6 in mediawiki/core).

Bug: T73111
Change-Id: I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb