Change Details

**This is not a security vulnerability in itself**, but I think the task should not be public at the moment. It can probably be made public later. After finding an i18n XSS vulnerability (i.e., an issue where an i18n message wasn’t properly escaped, resulting in HTML injection via the message JSON files or the MediaWiki: namespace) in a recent Wikibase change (already [fixed](https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/932416)), I thought that to investigate this and other issues without having to edit the message files and rebuild the l10n cache, it would be nice to have a custom language code instead. I managed to put together this `LocalSettings.php` snippet: ```lang=php $wgHooks['MessagesPreLoad'][] = function ( $title, &$message, $code ) { if ( $code !== 'xss' ) { return true; } $key = lcfirst( preg_replace( '|/xss$|', '', $title ) ); $xssViaInnerHtml = "<script>alert('$key')</script>"; $xssViaAttribute = '">' . $xssViaInnerHtml . '<span data-rest="'; $message = $xssViaInnerHtml . $xssViaAttribute; return false; }; ``` It sets every i18n message to a `<script>alert('message-key')</script>`-like HTML snippet. (With a second copy to also catch `<span title="unescapedMessage">` issues, in fact.) When I tested it, I immediately found //another// XSS vulnerability: {T340200} I’m not sure where to go from here… this feels like a useful technique that I want to share with others, but it probably shouldn’t be public yet while it’s so easy to find real vulnerabilities with it?

**This is not a security vulnerability in itself**, but I think the task should not be public at the moment. It can probably be made public later. After finding an i18n XSS vulnerability (i.e., an issue where an i18n message wasn’t properly escaped, resulting in HTML injection via the message JSON files or the MediaWiki: namespace) in a recent Wikibase change (already [fixed](https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/932416)), I thought that to investigate this and other issues without having to edit the message files and rebuild the l10n cache, it would be nice to have a custom language code instead. I managed to put together this `LocalSettings.php` snippet: ```lang=php $wgHooks['MessagesPreLoad'][] = function ( $title, &$message, $code ) { if ( $code !== 'xss' ) { return true; } $key = lcfirst( preg_replace( '|/xss$|', '', $title ) ); $xssViaInnerHtml = "<script>alert('$key')</script>"; $xssViaAttribute = '">' . $xssViaInnerHtml . '<span data-rest="'; $message = $xssViaInnerHtml . $xssViaAttribute; return false; }; ``` It sets every i18n message to a `<script>alert('message-key')</script>`-like HTML snippet (with a second copy to also catch `<span title="unescapedMessage">` issues, in fact), and is activated via `?uselang=xss` in the URL. When I tested it, I immediately found //another// XSS vulnerability: {T340200} I’m not sure where to go from here… this feels like a useful technique that I want to share with others, but it probably shouldn’t be public yet while it’s so easy to find real vulnerabilities with it?

**This is not a security vulnerability in itself**, but I think the task should not be public at the moment. It can probably be made public later. After finding an i18n XSS vulnerability (i.e., an issue where an i18n message wasn’t properly escaped, resulting in HTML injection via the message JSON files or the MediaWiki: namespace) in a recent Wikibase change (already [fixed](https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/932416)), I thought that to investigate this and other issues without having to edit the message files and rebuild the l10n cache, it would be nice to have a custom language code instead. I managed to put together this `LocalSettings.php` snippet: ```lang=php $wgHooks['MessagesPreLoad'][] = function ( $title, &$message, $code ) { if ( $code !== 'xss' ) { return true; } $key = lcfirst( preg_replace( '|/xss$|', '', $title ) ); $xssViaInnerHtml = "<script>alert('$key')</script>"; $xssViaAttribute = '">' . $xssViaInnerHtml . '<span data-rest="'; $message = $xssViaInnerHtml . $xssViaAttribute; return false; }; ``` It sets every i18n message to a `<script>alert('message-key')</script>`-like HTML snippet. (with a second copy to also catch `<span title="unescapedMessage">` issues, (With a second copy to also catch `<span title="unescapedMessage">` issuesin fact), in fact.)and is activated via `?uselang=xss` in the URL. When I tested it, I immediately found //another// XSS vulnerability: {T340200} I’m not sure where to go from here… this feels like a useful technique that I want to share with others, but it probably shouldn’t be public yet while it’s so easy to find real vulnerabilities with it?