[Bug 64183] JS injection vulnerability in Html::element()?
https://bugzilla.wikimedia.org/show_bug.cgi?id=64183 Chris Steipp cste...@wikimedia.org changed: What|Removed |Added Group|security| Component|Core|General/Unknown Assignee|secur...@wikimedia.org |wikibugs-l@lists.wikimedia. ||org Product|Security|MediaWiki -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 64183] JS injection vulnerability in Html::element()?
https://bugzilla.wikimedia.org/show_bug.cgi?id=64183 --- Comment #1 from Bartosz DziewoĆski matma@gmail.com --- (In reply to Yaron Koren from comment #0) I'm told that this is not correct behavior, so I'm submitting a bug for it. By whom? While it might not be the most fortunate behavior, Html::element only HTML-escapes the attributes and does not mangle their contents. You could validate user input by checking it against the list of protocols returned by wfUrlProtocols(), or using Sanitizer::validateTagAttributes() to do more thorough cleanup of other attributes as well. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 64183] JS injection vulnerability in Html::element()?
https://bugzilla.wikimedia.org/show_bug.cgi?id=64183 --- Comment #2 from Yaron Koren yaro...@gmail.com --- We discussed it in the comments here: https://gerrit.wikimedia.org/r/#/c/124995/ But based on what you're saying, it sounds like there was just a misunderstanding about escaping vs. mangling of Javascript content. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l