[Bug 47450] New: No proper HTML escaping

bugzilla-daemon Sat, 20 Apr 2013 05:51:03 -0700

https://bugzilla.wikimedia.org/show_bug.cgi?id=47450


       Web browser: ---
            Bug ID: 47450
           Summary: No proper HTML escaping
           Product: Monuments database
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: Unprioritized
         Component: API
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: maar...@mdammers.nl
                CC: hartman.w...@gmail.com, platoni...@gmail.com
    Classification: Unclassified
   Mobile Platform: ---

Reported bij theDJ:

We have a bug with filenames with quotes in them.

file:
http://commons.wikimedia.org/wiki/File:Vakwerkboerderij_%22Menzo%22_-_Zuidgevel_-_RM_15285_01.JPG

api request:
http://toolserver.org/~multichill/monapi/api.php?action=images&imcountry=nl&imid=15285&format=html&props=img_name

Generated html:
<a href="http://commons.wikimedia.org/wiki/File:Vakwerkboerderij_";
menzo"_-_zuidgevel_-_rm_15285_01.jpg"=""><img
src="http://upload.wikimedia.org/wikipedia/commons/thumb/9/98/Vakwerkboerderij_";
menzo"_-_zuidgevel_-_rm_15285_01.jpg=""
100px-vakwerkboerderij_"menzo"_-_zuidgevel_-_rm_15285_01.jpg"=""></a>

Possible njection attack vector.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 47450] New: No proper HTML escaping

Reply via email to