[MediaWiki-commits] [Gerrit] Filename: Using text instead of HTML to avoid exploitable - change (mediawiki...UploadWizard)

Mon, 22 Jul 2013 04:09:03 -0700 

Rillke has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/75090


Change subject: Filename: Using text instead of HTML to avoid exploitable
......................................................................

Filename: Using text instead of HTML to avoid exploitable

When setting the file name returned by the browser using
jQuery's .html() method, every kind of crap can be injected into the
HTML DOM. Consider a user downloaded a file with an evil file name and
is uploading this using UploadWizard, for example. On Windows, this
might not be an issue, but on Linux it is.

However, when using .text(), the node's innerText attribute is set and
nothing bad can be injected in the HTML DOM.

Bug: 51801
Change-Id: I71f0c458d340a96b4b39e2bb2de98d23724cd473
---
M resources/mw.UploadWizardUploadInterface.js
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/UploadWizard 
refs/changes/90/75090/1

diff --git a/resources/mw.UploadWizardUploadInterface.js 
b/resources/mw.UploadWizardUploadInterface.js
index 74b9bc6..dde16b5 100644
--- a/resources/mw.UploadWizardUploadInterface.js
+++ b/resources/mw.UploadWizardUploadInterface.js
@@ -586,7 +586,7 @@
                path = path.replace(/\w:.*\\(.*)$/,'$1');
 
                // visible filename
-               $j( _this.form ).find( '.mwe-upwiz-visible-file-filename-text' 
).html( path );
+               $j( _this.form ).find( '.mwe-upwiz-visible-file-filename-text' 
).text( path );
 
                // Set the filename we tell to the API to be the current 
timestamp + the filename
                // This is because we don't actually care what the filename is 
at this point, we just want it to be unique for this session and have the

-- 
To view, visit https://gerrit.wikimedia.org/r/75090
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I71f0c458d340a96b4b39e2bb2de98d23724cd473
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/UploadWizard
Gerrit-Branch: master
Gerrit-Owner: Rillke <rainerril...@hotmail.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to