| Bawolff moved this task from In Progress to Awaiting remediation on the Security-Reviews board. Bawolff added a comment. |
Review of WikidataLexeme & php-vuejs-templating (To be clear, I didn't look at vue.js in general, since that was already reviewed by Darian afaik).
- "FormIdFormatter.php" line 69 & "SenseIdFormatter.php" line 73 - It looks like this is not properly escaped. However, it also looks like this is just a couple hard coded examples. Kind of confused by this class tbh.
- "SensesView.php" line 127 - $sense->getId()->getSerialization() - should be html escaped I think.
- "FormsView.php" line 86 - $this->textProvider->get( 'comma-separator' ) - Please avoid using messages as raw html in new code.
- [This may be an issue with Wikidata in general] ClickJacking: Since this allows edit interaction directly on wikipage, it should take steps to prevent click jacking. Either _javascript_ should detect when the page is being framed, and refuse to load the editing related js code (Since the editing related code only happens if js is enabled, its safe to detect this condition in JS), or the extension can call OutputPage::preventClickjacking() (Which will totally disables frames altogether for both js and non-js users).
In php-vuejs
- Its unclear to me if DomDocument::loadHtml processes external entities in modern PHP. https://www.mediawiki.org/wiki/XML_External_Entity_Processing implies that at least in older versions of PHP this was a problem. For the avoidance of doubt, can we wrap the call to loadHtml with libxml_disable_entity_loader just in case per https://www.mediawiki.org/wiki/XML_External_Entity_Processing .
TASK DETAIL
EMAIL PREFERENCES
To: Bawolff
Cc: Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm
Cc: Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
