http://www.mediawiki.org/wiki/Special:Code/MediaWiki/56429
Revision: 56429 Author: brion Date: 2009-09-16 18:42:58 +0000 (Wed, 16 Sep 2009) Log Message: ----------- Security fix: validate $oldid input parameter and escape it on output when generating JavaScript code to put into HTML fragments in AJAX responses Modified Paths: -------------- trunk/extensions/Collection/Collection.hooks.php trunk/extensions/Collection/Collection.php Modified: trunk/extensions/Collection/Collection.hooks.php =================================================================== --- trunk/extensions/Collection/Collection.hooks.php 2009-09-16 18:27:43 UTC (rev 56428) +++ trunk/extensions/Collection/Collection.hooks.php 2009-09-16 18:42:58 UTC (rev 56429) @@ -400,14 +400,16 @@ $captionMsg = 'coll-add_this_page'; $tooltipMsg = 'coll-add_page_tooltip'; $query = array( 'bookcmd' => 'add_article', 'arttitle' => $ptext, 'oldid' => $oldid ); - $onclick = "collectionCall('AddArticle', ['removearticle', wgNamespaceNumber, wgTitle, $oldid]); return false;"; + $onclick = "collectionCall('AddArticle', ['removearticle', wgNamespaceNumber, wgTitle, " . + Xml::encodeJsVar( $oldid ) . "]); return false;"; } else { $id = 'coll-remove_article'; $icon = 'silk-remove.png'; $captionMsg = 'coll-remove_this_page'; $tooltipMsg = 'coll-remove_page_tooltip'; $query = array( 'bookcmd' => 'remove_article', 'arttitle' => $ptext, 'oldid' => $oldid ); - $onclick = "collectionCall('RemoveArticle', ['addarticle', wgNamespaceNumber, wgTitle, $oldid]); return false;"; + $onclick = "collectionCall('RemoveArticle', ['addarticle', wgNamespaceNumber, wgTitle, " . + Xml::encodeJsVar( $oldid ) . "]); return false;"; } } Modified: trunk/extensions/Collection/Collection.php =================================================================== --- trunk/extensions/Collection/Collection.php 2009-09-16 18:27:43 UTC (rev 56428) +++ trunk/extensions/Collection/Collection.php 2009-09-16 18:42:58 UTC (rev 56429) @@ -207,6 +207,9 @@ $wgAjaxExportList[] = 'wfAjaxCollectionAddCategory'; function wfAjaxCollectionGetBookCreatorBoxContent( $ajaxHint='', $oldid=null ) { + if( !is_null( $oldid ) ) { + $oldid = intval( $oldid ); + } return CollectionHooks::getBookCreatorBoxContent( $ajaxHint, $oldid ); } _______________________________________________ MediaWiki-CVS mailing list MediaWiki-CVS@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs