HomePhabricator
Diffusion MediaWiki c1d6638704e6

SECURITY: Add edit token to Special:ExpandTemplates
c1d6638704e6
Actions

Description

SECURITY: Add edit token to Special:ExpandTemplates

On wikis that allow raw HTML, it is not safe to preview wikitext coming from
an untrusted source such as a cross-site request. Thus add an edit token to
the form, and when raw HTML is allowed, ensure the token is provided before
showing the preview.

Unfortunately, MediaWiki does not currently provide logged-out users with
CSRF protection; in that case, do not show the preview unless anonymous
editing is allowed (such wikis have been, and are still, vulnerable).

Bug: T73111

Change-Id: I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb

Details

Provenance
PleaseStandAuthored on
MglaserCommitted on Nov 27 2014, 12:33 AM
Parents
rMW47a72a049648: Merge "API: Work around wfMangleFlashPolicy()" into REL1_23
Branches
Unknown
Tags
Unknown
ChangeId
I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb

Changes (3)

PathSize
includes/
specials/
languages/
i18n/

rMWc1d6638704e6

View Options

includes/specials/SpecialExpandTemplates.php

Loading...
View Options

languages/i18n/en.json

Loading...
View Options

languages/i18n/qqq.json

Loading...
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL