[MediaWiki-CVS] SVN: [95387] trunk/extensions/MobileFrontend/MobileFrontend.php

Wed, 24 Aug 2011 02:38:16 -0700 

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/95387

Revision: 95387
Author:   catrope
Date:     2011-08-24 09:38:09 +0000 (Wed, 24 Aug 2011)
Log Message:
-----------
Followup r95316, r95317 per CR: escape the URL before using it in HTML. It 
doesn't look like this was a viable XSS vector because FullRequestURL comes 
with strange characters urlencoded (at least on Apache) but it sure looked scary

Modified Paths:
--------------
    trunk/extensions/MobileFrontend/MobileFrontend.php

Modified: trunk/extensions/MobileFrontend/MobileFrontend.php
===================================================================
--- trunk/extensions/MobileFrontend/MobileFrontend.php  2011-08-24 09:23:50 UTC 
(rev 95386)
+++ trunk/extensions/MobileFrontend/MobileFrontend.php  2011-08-24 09:38:09 UTC 
(rev 95387)
@@ -156,7 +156,7 @@
                self::$enableImagesURL = $wgRequest->escapeAppendQuery( 
'enableImages=1' );
                self::$disableMobileSiteURL = $wgRequest->escapeAppendQuery( 
'mobileaction=disable_mobile_site' );
                self::$viewNormalSiteURL = $wgRequest->escapeAppendQuery( 
'mobileaction=view_normal_site' );
-               self::$currentURL = $wgRequest->getFullRequestURL();
+               self::$currentURL = htmlspecialchars( 
$wgRequest->getFullRequestURL() );
                
                $skin = $wgUser->getSkin();
                $copyright = $skin->getCopyright();


_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

Reply via email to