[Wikidata-bugs] [Maniphest] [Updated] T118268: Security Review of Article Placeholder
chasemp removed a project: deprecated-security-team-reviews. TASK DETAIL https://phabricator.wikimedia.org/T118268 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp, chasemp Cc: gerritbot, Ricordisamoa, csteipp, Lydia_Pintscher, Lucie, Aklapper, hoo, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, cmadeo, LawExplorer, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, jayvdb, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Updated] T118268: Security Review of Article Placeholder
gerritbot added a project: Patch-For-Review. TASK DETAIL https://phabricator.wikimedia.org/T118268 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: gerritbot Cc: gerritbot, Ricordisamoa, csteipp, Lydia_Pintscher, Lucie, Aklapper, hoo, Wikidata-bugs, aude, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Updated] T118268: Security Review of Article Placeholder
csteipp added a comment. Hi @Lucie, I took a look at this again from commit https://phabricator.wikimedia.org/rEARPc0c5b0c84ef27e91cbcc2791f3f07cdff1dfd74a. Two minor issues that need to be fixed before this gets deployed: - Line 103: `$this->getOutput()->setPageTitle( $this->msg( 'articleplaceholder-abouttopic' ) )` - This should either be escaped() or parsed, so that a malicious admin can't sneak javascript onto the site through the message. - Line 292: `$this->getOutput()->setPageTitle( $label );` - This looks like an xss as is, if the entity is something like https://test.wikidata.org/wiki/Q1923 TASK DETAIL https://phabricator.wikimedia.org/T118268 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucie, csteipp Cc: Ricordisamoa, csteipp, Lydia_Pintscher, Lucie, Aklapper, hoo, Wikidata-bugs, aude, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs