Change Details

Widgets is inherently insecure as it trusts the base64 encoded content on the page to be safe to decode and output. Its first line of "defense" is to include a laughably easy to obtain secret key along with the encoded content. Next is to mark the content as HTML which shouldn't be parsed so it is hidden in the parser with a UNIQ marker. This defense is an improvement as you need to have a way to retrieve the content which the UNIQ marker represents to be able to then obtain the secret key. Prior to T63268 being fixed, this could be accomplished with Scribunto's `mw.text.unstrip` function. So while this isn't an issue for sites using a more recent version of Scribunto, it is for previous versions, and if any other method can be found to reveal the content behind the UNIQ marker, it will be insecure again. The solution is to stop trying to hide the insecurity, and instead not be insecure in the first place by not trusting the content on the page. The way to do this is simple, and is the same as what the UNIQ marker already does: store an index on the page, and use that to retrieve the content from an array. This will also be faster as it doesn't have to pointlessly base64 encode and decode the content.

Widgets is inherently insecure as it trusts the base64 encoded content on the page to be safe to decode and output. Its first line of "defense" is to include a laughably easy to obtain secret key along with the encoded content (see T41883). Next is to mark the content as HTML which shouldn't be parsed so it is hidden in the parser with a UNIQ marker. This defense is an improvement as you need to have a way to retrieve the content which the UNIQ marker represents to be able to then obtain the secret key. Prior to T63268 being fixed, this could be accomplished with Scribunto's `mw.text.unstrip` function. So while this isn't an issue for sites using a more recent version of Scribunto, it is for previous versions, and if any other method can be found to reveal the content behind the UNIQ marker, it will be insecure again. The solution is to stop trying to hide the insecurity, and instead not be insecure in the first place by not trusting the content on the page. The way to do this is simple, and is the same as what the UNIQ marker already does: store an index on the page, and use that to retrieve the content from an array. This will also be faster as it doesn't have to pointlessly base64 encode and decode the content.

Widgets is inherently insecure as it trusts the base64 encoded content on the page to be safe to decode and output. Its first line of "defense" is to include a laughably easy to obtain secret key along with the encoded content (see T41883). Next is to mark the content as HTML which shouldn't be parsed so it is hidden in the parser with a UNIQ marker. This defense is an improvement as you need to have a way to retrieve the content which the UNIQ marker represents to be able to then obtain the secret key. Prior to T63268 being fixed, this could be accomplished with Scribunto's `mw.text.unstrip` function. So while this isn't an issue for sites using a more recent version of Scribunto, it is for previous versions, and if any other method can be found to reveal the content behind the UNIQ marker, it will be insecure again. The solution is to stop trying to hide the insecurity, and instead not be insecure in the first place by not trusting the content on the page. The way to do this is simple, and is the same as what the UNIQ marker already does: store an index on the page, and use that to retrieve the content from an array. This will also be faster as it doesn't have to pointlessly base64 encode and decode the content.