http://www.mediawiki.org/wiki/Special:Code/MediaWiki/56427
Revision: 56427 Author: brion Date: 2009-09-16 18:27:27 +0000 (Wed, 16 Sep 2009) Log Message: ----------- Security fix: escape client-provided $article string when dropping it into JavaScript in an HTML element returned for AJAX results Modified Paths: -------------- trunk/extensions/Collection/Collection.php Modified: trunk/extensions/Collection/Collection.php =================================================================== --- trunk/extensions/Collection/Collection.php 2009-09-16 18:26:30 UTC (rev 56426) +++ trunk/extensions/Collection/Collection.php 2009-09-16 18:27:27 UTC (rev 56427) @@ -278,6 +278,12 @@ $wgAjaxExportList[] = 'wfAjaxCollectionClear'; +/** + * Backend of several following SAJAX function handlers... + * @param String $action provided by the specific handlers internally + * @param String $article title passed in from client + * @return AjaxResponse with JSON-encoded array including HTML fragment. + */ function wfCollectionSuggestAction( $action, $article ) { wfLoadExtensionMessages( 'CollectionCore' ); wfLoadExtensionMessages( 'Collection' ); @@ -290,7 +296,8 @@ 'Book', array('bookcmd' => 'suggest', 'undo' => $action, 'arttitle' => $article ) ), - 'onclick' => "collectionSuggestCall('UndoArticle', ['$action', '$article']); return false;", + 'onclick' => "collectionSuggestCall('UndoArticle'," . + Xml::encodeJsVar( array( $action, $article ) ) . "); return false;", 'title' => wfMsg( 'coll-suggest_undo_tooltip' ), ), wfMsg( 'coll-suggest_undo' ) _______________________________________________ MediaWiki-CVS mailing list MediaWiki-CVS@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs