tosfos has submitted this change and it was merged.
Change subject: Avoid XSS vulnerability
......................................................................
Avoid XSS vulnerability
Bug: T98705
Change-Id: I9c35878281bc1071fe7155b091020c8ab89e2b40
---
M GoogleCustomWikiSearch.class.php
M GoogleCustomWikiSearch.php
2 files changed, 9 insertions(+), 3 deletions(-)
Approvals:
tosfos: Verified; Looks good to me, approved
diff --git a/GoogleCustomWikiSearch.class.php b/GoogleCustomWikiSearch.class.php
index 6bee184..a519217 100644
--- a/GoogleCustomWikiSearch.class.php
+++ b/GoogleCustomWikiSearch.class.php
@@ -47,6 +47,10 @@
return $this->term;
}
+ public function getTermEncoded() {
+ return FormatJson::encode( $this->getTerm() );
+ }
+
public function getId() {
return $this->id;
}
@@ -142,6 +146,7 @@
* @return string
*/
private function getScriptVersion1() {
+ $term = $this->getTermEncoded();
return <<<END
google.load('search', '1', {language :
'{$this->getLanguage()->getCode()}', style :
google.loader.themes.{$this->getTheme()}});
google.setOnLoadCallback(function() {
@@ -149,7 +154,7 @@
{$this->getSearchDisplayOption()}
{$this->getOptions()}
customSearchControl.draw('cse', options);
- customSearchControl.execute("{$this->getTerm()}");
+ customSearchControl.execute( {$term} );
}, true);
END;
}
@@ -158,13 +163,14 @@
* @return string
*/
private function getScriptVersion2() {
+ $term = $this->getTermEncoded();
return <<<END
function gcseCallback() {
if (document.readyState != 'complete')
return google.setOnLoadCallback(gcseCallback, true);
google.search.cse.element.render({gname:'gcws', div:'cse',
{$this->getSearchDisplayOption()}});
var element = google.search.cse.element.getElement('gcws');
- element.execute('{$this->getTerm()}');
+ element.execute( {$term} );
};
window.__gcse = {
parsetags: 'explicit',
diff --git a/GoogleCustomWikiSearch.php b/GoogleCustomWikiSearch.php
index 06369ac..305efdc 100644
--- a/GoogleCustomWikiSearch.php
+++ b/GoogleCustomWikiSearch.php
@@ -10,7 +10,7 @@
'author' => 'Ike Hecht for [http://wikiworks.com/ WikiWorks]',
'url' =>
'https://www.mediawiki.org/wiki/Extension:GoogleCustomWikiSearch',
'descriptionmsg' => 'gcws-desc',
- 'version' => '0.4.0 beta',
+ 'version' => '0.5.0 beta',
);
$dir = __DIR__ . '/';
--
To view, visit https://gerrit.wikimedia.org/r/209987
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I9c35878281bc1071fe7155b091020c8ab89e2b40
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/extensions/GoogleCustomWikiSearch
Gerrit-Branch: master
Gerrit-Owner: tosfos <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
Gerrit-Reviewer: tosfos <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
