[MediaWiki-commits] [Gerrit] Filename: Using text instead of HTML to avoid exploitable - change (mediawiki...UploadWizard)

Mon, 22 Jul 2013 05:10:54 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: Filename: Using text instead of HTML to avoid exploitable
......................................................................


Filename: Using text instead of HTML to avoid exploitable

When setting the file name returned by the browser using
jQuery's .html() method, every kind of crap can be injected into the
HTML DOM. Consider a user downloaded a file with an evil file name and
is uploading this using UploadWizard, for example. On Windows, this
might not be an issue, but on Linux it is.

However, when using .text(), the node's innerText attribute is set and
nothing bad can be injected in the HTML DOM.

Bug: 51801
Change-Id: I71f0c458d340a96b4b39e2bb2de98d23724cd473
---
M resources/mw.UploadWizardUploadInterface.js
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Yuvipanda: Looks good to me, approved
  Matmarex: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/resources/mw.UploadWizardUploadInterface.js 
b/resources/mw.UploadWizardUploadInterface.js
index 74b9bc6..dde16b5 100644
--- a/resources/mw.UploadWizardUploadInterface.js
+++ b/resources/mw.UploadWizardUploadInterface.js
@@ -586,7 +586,7 @@
                path = path.replace(/\w:.*\\(.*)$/,'$1');
 
                // visible filename
-               $j( _this.form ).find( '.mwe-upwiz-visible-file-filename-text' 
).html( path );
+               $j( _this.form ).find( '.mwe-upwiz-visible-file-filename-text' 
).text( path );
 
                // Set the filename we tell to the API to be the current 
timestamp + the filename
                // This is because we don't actually care what the filename is 
at this point, we just want it to be unique for this session and have the

-- 
To view, visit https://gerrit.wikimedia.org/r/75090
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I71f0c458d340a96b4b39e2bb2de98d23724cd473
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/UploadWizard
Gerrit-Branch: master
Gerrit-Owner: Rillke <rainerril...@hotmail.com>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: Drecodeam <drecod...@gmail.com>
Gerrit-Reviewer: Kaldari <rkald...@wikimedia.org>
Gerrit-Reviewer: MarkTraceur <mtrac...@member.fsf.org>
Gerrit-Reviewer: Matmarex <matma....@gmail.com>
Gerrit-Reviewer: Nischayn22 <nischay...@gmail.com>
Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to