HomePhabricator

(bug 42202) Validate preference values in action=options

Description

(bug 42202) Validate preference values in action=options

Previously, there was no validation whatsoever and the module would
happily write any preference you asked it to. This, combined with the
fact that the code using the 'editfont' preference didn't perform any
validation or escaping, led to a CSS injection vulnerability.

Using Preferences::getPreferences breaks some existing test cases
because a MockUser doesn't have groups for preferences.

Change-Id: I98df55f2b16ac1b6fce578798b6f58b5dad96775

Details

Provenance
CatropeAuthored on
csteippCommitted on Nov 30 2012, 12:42 AM
Parents
rMW8e57acf21152: (bug 42202) Validate editfont before embedding it in CSS
Branches
Unknown
Tags
Unknown
ChangeId
I98df55f2b16ac1b6fce578798b6f58b5dad96775