jenkins-bot has submitted this change and it was merged. Change subject: renderer.article: Ignore thumnail if the URL has suspicious characters ......................................................................
renderer.article: Ignore thumnail if the URL has suspicious characters If the URL of the thumbnail has suspicious characters like ', " or \ return a <span> instead of trying to render a thumbnail. Bug: T88171 Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302 --- M resources/ext.popups.renderer.article.js 1 file changed, 9 insertions(+), 2 deletions(-) Approvals: CSteipp: Looks good to me, but someone else must approve Werdna: Looks good to me, approved jenkins-bot: Verified diff --git a/resources/ext.popups.renderer.article.js b/resources/ext.popups.renderer.article.js index 728606b..0204577 100644 --- a/resources/ext.popups.renderer.article.js +++ b/resources/ext.popups.renderer.article.js @@ -249,11 +249,18 @@ var svg = mw.popups.supportsSVG; if ( - !thumbnail || // No thumbnail + // No thumbnail + !thumbnail || // Image too small for landscape display ( !tall && thumbnail.width < article.SIZES.landscapeImage.w ) || // Image too small for protrait display - ( tall && thumbnail.height < article.SIZES.portraitImage.h ) + ( tall && thumbnail.height < article.SIZES.portraitImage.h ) || + // These characters in URL that could inject CSS and thus JS + ( + thumbnail.source.indexOf( '\\' ) > -1 || + thumbnail.source.indexOf( '\'' ) > -1 || + thumbnail.source.indexOf( '\"' ) > -1 + ) ) { return $( '<span>' ); } -- To view, visit https://gerrit.wikimedia.org/r/199211 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/Popups Gerrit-Branch: master Gerrit-Owner: Prtksxna <psax...@wikimedia.org> Gerrit-Reviewer: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: Prtksxna <psax...@wikimedia.org> Gerrit-Reviewer: Werdna <agarr...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits