[MediaWiki-commits] [Gerrit] renderer.article: Ignore thumnail if the URL has suspicious ... - change (mediawiki...Popups)

Tue, 24 Mar 2015 01:09:07 -0700 

Prtksxna has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199211

Change subject: renderer.article: Ignore thumnail if the URL has suspicious 
characters
......................................................................

renderer.article: Ignore thumnail if the URL has suspicious characters

If the URL of the thumbnail has suspicious characters like ', " or \
return a <span> instead of trying to render a thumbnail.

Bug: T88171
Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302
---
M resources/ext.popups.renderer.article.js
1 file changed, 9 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Popups 
refs/changes/11/199211/1

diff --git a/resources/ext.popups.renderer.article.js 
b/resources/ext.popups.renderer.article.js
index 728606b..0204577 100644
--- a/resources/ext.popups.renderer.article.js
+++ b/resources/ext.popups.renderer.article.js
@@ -249,11 +249,18 @@
                var svg = mw.popups.supportsSVG;
 
                if (
-                       !thumbnail || // No thumbnail
+                       // No thumbnail
+                       !thumbnail ||
                        // Image too small for landscape display
                        ( !tall && thumbnail.width < 
article.SIZES.landscapeImage.w ) ||
                        // Image too small for protrait display
-                       ( tall && thumbnail.height < 
article.SIZES.portraitImage.h )
+                       ( tall && thumbnail.height < 
article.SIZES.portraitImage.h ) ||
+                       // These characters in URL that could inject CSS and 
thus JS
+                       (
+                               thumbnail.source.indexOf( '\\' ) > -1 ||
+                               thumbnail.source.indexOf( '\'' ) > -1 ||
+                               thumbnail.source.indexOf( '\"' ) > -1
+                       )
                ) {
                        return $( '<span>' );
                }

-- 
To view, visit https://gerrit.wikimedia.org/r/199211
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Popups
Gerrit-Branch: master
Gerrit-Owner: Prtksxna <psax...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to