Change Details

After T229541 was reported and resolved, I checked [[ https://www.mediawiki.org/wiki/Extension:MobileFrontend | MobileFrontend ]] for more instances of `Sanitizer::stripAllTags()` and found another one in [[ https://gerrit.wikimedia.org/g/mediawiki/extensions/MobileFrontend/+/737fda853af38fbc3bc62f964af606d7033ebc65/includes/specials/SpecialMobileWatchlist.php#391 | `includes/specials/SpecialMobileWatchlist.php` ]] and confirmed it also renders an XSS. **Steps to reproduce:** # Create a test page or edit any wiki page # Enter some JavaScript within the edit summary field, e.g. `<script>alert('xss')</script>` # Add this page to your watchlist # Visit the mobile version of your watchlist, e.g. https://en.m.wikipedia.org/w/index.php?title=Special:Watchlist&watchlistview=feed&filter=all **n.b.** there are a few more calls to `Sanitizer::stripAllTags` [[ https://codesearch.wmflabs.org/extensions/?q=Sanitizer%3A%3AstripAllTags&i=nope&files=&repos= | within other extensions ]] and it's probably worth auditing these. I think we're also hoping to catch more issues like this by [[ https://gerrit.wikimedia.org/r/c/mediawiki/core/+/530009 | setting `Sanitizer::stripAllTags`' `@return-taint` to tainted ]] for phan-taint-check.

After T229541 was reported and resolved, I checked [[ https://www.mediawiki.org/wiki/Extension:MobileFrontend | MobileFrontend ]] for more instances of `Sanitizer::stripAllTags()` and found another one in [[ https://gerrit.wikimedia.org/g/mediawiki/extensions/MobileFrontend/+/737fda853af38fbc3bc62f964af606d7033ebc65/includes/specials/SpecialMobileWatchlist.php#391 | `includes/specials/SpecialMobileWatchlist.php` ]] and confirmed it also renders an XSS. **Steps to reproduce:** # Create a test page or edit any wiki page # Enter some JavaScript within the edit summary field, e.g. `<script>alert('xss')</script>` # Add this page to your watchlist # Visit the mobile version of your watchlist feed, e.g. https://en.m.wikipedia.org/w/index.php?title=Special:Watchlist&watchlistview=feed&filter=all **n.b.** there are a few more calls to `Sanitizer::stripAllTags` [[ https://codesearch.wmflabs.org/extensions/?q=Sanitizer%3A%3AstripAllTags&i=nope&files=&repos= | within other extensions ]] and it's probably worth auditing these. I think we're also hoping to catch more issues like this by [[ https://gerrit.wikimedia.org/r/c/mediawiki/core/+/530009 | setting `Sanitizer::stripAllTags`' `@return-taint` to tainted ]] for phan-taint-check.

After T229541 was reported and resolved, I checked [[ https://www.mediawiki.org/wiki/Extension:MobileFrontend | MobileFrontend ]] for more instances of `Sanitizer::stripAllTags()` and found another one in [[ https://gerrit.wikimedia.org/g/mediawiki/extensions/MobileFrontend/+/737fda853af38fbc3bc62f964af606d7033ebc65/includes/specials/SpecialMobileWatchlist.php#391 | `includes/specials/SpecialMobileWatchlist.php` ]] and confirmed it also renders an XSS. **Steps to reproduce:** # Create a test page or edit any wiki page # Enter some JavaScript within the edit summary field, e.g. `<script>alert('xss')</script>` # Add this page to your watchlist # Visit the mobile version of your watchlist feed, e.g. https://en.m.wikipedia.org/w/index.php?title=Special:Watchlist&watchlistview=feed&filter=all **n.b.** there are a few more calls to `Sanitizer::stripAllTags` [[ https://codesearch.wmflabs.org/extensions/?q=Sanitizer%3A%3AstripAllTags&i=nope&files=&repos= | within other extensions ]] and it's probably worth auditing these. I think we're also hoping to catch more issues like this by [[ https://gerrit.wikimedia.org/r/c/mediawiki/core/+/530009 | setting `Sanitizer::stripAllTags`' `@return-taint` to tainted ]] for phan-taint-check.