https://bugzilla.wikimedia.org/show_bug.cgi?id=47450
Web browser: --- Bug ID: 47450 Summary: No proper HTML escaping Product: Monuments database Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: Unprioritized Component: API Assignee: wikibugs-l@lists.wikimedia.org Reporter: maar...@mdammers.nl CC: hartman.w...@gmail.com, platoni...@gmail.com Classification: Unclassified Mobile Platform: --- Reported bij theDJ: We have a bug with filenames with quotes in them. file: http://commons.wikimedia.org/wiki/File:Vakwerkboerderij_%22Menzo%22_-_Zuidgevel_-_RM_15285_01.JPG api request: http://toolserver.org/~multichill/monapi/api.php?action=images&imcountry=nl&imid=15285&format=html&props=img_name Generated html: <a href="http://commons.wikimedia.org/wiki/File:Vakwerkboerderij_" menzo"_-_zuidgevel_-_rm_15285_01.jpg"=""><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/9/98/Vakwerkboerderij_" menzo"_-_zuidgevel_-_rm_15285_01.jpg="" 100px-vakwerkboerderij_"menzo"_-_zuidgevel_-_rm_15285_01.jpg"=""></a> Possible njection attack vector. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l