Reported via security@.
A simple htmlspecialchars will do.
Original report from John Menerick:
> To whom it may concern;
>
> It appears there is a XSS vulnerability in MediaWiki's thumb.php source code. On line 35, the unvalidated or sanitized parameters are pulled from the client's request. As we see in the attached image, it flows through the code until the bottom of the data flow - wfthumberror, line 588 -> builtin_echo() .
>
> The expected behavior is that the thumb.php's request handler properly sanitizes or validated the parameters before handing it to thumb.php. Or the output is properly sanitized before echo'd out to the client.
>
> The impact isn’t clear to me due to the arcane workflow to get this code path to execute. The vector appears plausible. Hence this heads up.
>
> Software) MediaWiki
> Changelist) 57fb6ab46ca82305997c9956a6ec4887040e556e
> Src) Github
--------------------------
**Patch**: {F158192}
* 1.25 - same as master ({F158192})
* 1.24 - same as master ({F158192})
* 1.23 -
**Affected Versions**: Since 1.21 (dfe02f371be76b236a0af9028f52584bef04a427 / a04d9cb7487773e102285de13b7092a2bc9b6821)
**Type**: xss