Change Details

==== Steps to reproduce # On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar) # Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback and add `<script>alert('XSS');</script>` somewhere to the message # Login with an account that's on the [mentors list](https://test.wikipedia.org/w/index.php?title=Wikipedia:Requests/Help_desk/Mentors). # Go to Special:MentorDashboard # Alert gets displayed ==== Fix MenteeOverview::getBody() should not use `Html::rawElement`, or should use `->escaped()` for the message. ==== Notes This feature is not served outside of testwiki, but since it allows unauthorized users to run arbitrary JS on a production wikis, this should go through the normal security patch procedure.

==== Steps to reproduce # On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar) # Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback and add `<script>alert('XSS');</script>` somewhere to the message # Login with an account that's on the [mentors list](https://test.wikipedia.org/w/index.php?title=Wikipedia:Requests/Help_desk/Mentors). # Go to Special:MentorDashboard # Alert gets displayed The same also applies for `growthexperiments-mentor-dashboard-mentee-overview-intro` and `growthexperiments-mentor-dashboard-resources-intro` messages. ==== Fix MenteeOverview::getBody() should not use `Html::rawElement`, or should use `->escaped()` for the message. Similar fix should be applied for other messages mentioned above. ==== Notes This feature is not served outside of testwiki, but since it allows unauthorized users to run arbitrary JS on a production wikis, this should go through the normal security patch procedure.

==== Steps to reproduce # On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar) # Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback and add `<script>alert('XSS');</script>` somewhere to the message # Login with an account that's on the [mentors list](https://test.wikipedia.org/w/index.php?title=Wikipedia:Requests/Help_desk/Mentors). # Go to Special:MentorDashboard # Alert gets displayed The same also applies for `growthexperiments-mentor-dashboard-mentee-overview-intro` and `growthexperiments-mentor-dashboard-resources-intro` messages. ==== Fix MenteeOverview::getBody() should not use `Html::rawElement`, or should use `->escaped()` for the message. Similar fix should be applied for other messages mentioned above. ==== Notes This feature is not served outside of testwiki, but since it allows unauthorized users to run arbitrary JS on a production wikis, this should go through the normal security patch procedure.