HomePhabricator

Require strip marker names to not have & ' " < or > in them

Description

Require strip marker names to not have & ' " < or > in them

This is a little far fetched, but meant as a hardening step. No
valid strip marker name should have any of those things in them.
If a malicious user managed to somehow control the strip marker name,
he could make a strip marker that "spanned" different html contexts.
Note: I've checked carefully - its impossible for a user to control
the strip marker name. This is just a hardening step against any
future features.

For example, if someone could make a strip marker using the marker
name "a&#039;,&#039;b", then they could create an xss by feeding
"\x7UNIQfa+QINU\x7f" to charinsert, which will split on + sign,
and create output like
<a onclick="mw.toolbar.insertTags(&#039\x7FUNIQa&#039;,&#039;bQIN\X7f...
It just seems safer to not allow any of the special characters in
strip marker names - especially because there is no need to ever
use them, and to my knowledge there is no example of anyone ever
actually using such a special character in the marker name.
and not recognize either part as a strip marker.

Change-Id: I798d31aff4e48b4c6da886530c15867226c953d2

Details

Provenance
BawolffAuthored on Jan 29 2016, 9:46 AM
Parents
rMW0d4e0ca543b8: Add -f as an alias of --force to cli args of updateCollation.php
Branches
Unknown
Tags
Unknown
ChangeId
I798d31aff4e48b4c6da886530c15867226c953d2