Florianschmidtwelzow has submitted this change and it was merged. Change subject: [SECURITY] Fix possible XSS attack ......................................................................
[SECURITY] Fix possible XSS attack The request to the extracts api is made with plaintext to get an unformatted output (without bold, italic and other text formatting). However, the output isn't parsed or anything else, it is passed directly to the output as plain HTML. This allows an attacker to insert scripts and other html into the output which is escaped on the page directly, but not in the quicksearchlookup information box at the right side, which is a security risk. This change fixes the risk by not passing the content to an OOUI\HtmlSnippet element anymore. Bug: T130468 Change-Id: I430e137217c0f01b6807925e703ca71ce9989fe5 --- M includes/QuickSearchLookup.php M tests/phpunit/QuickSearchLookupTest.php 2 files changed, 5 insertions(+), 4 deletions(-) Approvals: Florianschmidtwelzow: Verified; Looks good to me, approved diff --git a/includes/QuickSearchLookup.php b/includes/QuickSearchLookup.php index 060e161..6118aad 100644 --- a/includes/QuickSearchLookup.php +++ b/includes/QuickSearchLookup.php @@ -156,7 +156,7 @@ // the ButtonWidget $layout = new OOUI\Layout(); $layout - ->appendContent( new OOUI\HtmlSnippet( $text ) ) + ->appendContent( $text ) ->addClasses( array( 'mw-search-quicklookup-text', // this class adds space between the text and the read more button (which is positioned diff --git a/tests/phpunit/QuickSearchLookupTest.php b/tests/phpunit/QuickSearchLookupTest.php index a9c0d55..d76185d 100644 --- a/tests/phpunit/QuickSearchLookupTest.php +++ b/tests/phpunit/QuickSearchLookupTest.php @@ -2,6 +2,7 @@ /** * @group Extensions + * @group Database */ class QuickSearchLooupTest extends MediaWikiTestCase { protected function setUp() { @@ -60,9 +61,9 @@ public function getTitleResults() { return array( array( 'BogusTest', false ), - array( 'Main_Page', true ), + array( 'UTPage', true ), array( Title::newFromText( 'BogusTest' ), false ), - array( Title::newMainPage(), true ), + array( Title::newFromText( 'UTPage' ), true ), ); } } @@ -71,4 +72,4 @@ public function __call( $name, $args ) { throw new Exception( 'Functions shouldn\'t call the singleton itself.' ); } -} \ No newline at end of file +} -- To view, visit https://gerrit.wikimedia.org/r/281991 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I430e137217c0f01b6807925e703ca71ce9989fe5 Gerrit-PatchSet: 3 Gerrit-Project: mediawiki/extensions/QuickSearchLookup Gerrit-Branch: master Gerrit-Owner: Florianschmidtwelzow <florian.schmidt.stargatewis...@gmail.com> Gerrit-Reviewer: Florianschmidtwelzow <florian.schmidt.stargatewis...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits