https://bugzilla.wikimedia.org/show_bug.cgi?id=19646
--- Comment #5 from Jack D. Pond <jack.p...@psitex.com> 2009-07-12 14:02:51 UTC --- (In reply to comment #3) > With $wgImgAuthDetails on, input filenames are being passed into HTML error > messages without validation or escaping; this is a script injection vuln. > wfMsgHTML() escapes the text of the message, then replaces in your parameters Revisiting this one. I used wfMsgHTML() which has htmlspecialchars() escaping in it. I may be displaying my ignorance here, but wouldn't that avoid any injection by displaying it as a string versus allowing the injection of html links, javascript, etc. This would actually allow the admin to view what the injection attack was, rather than allow it to proceed. I'll admit I'm no expert here, so this might be dead wrong. Would also need to inform hook users to do same in hook documentation. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
