https://bugzilla.wikimedia.org/show_bug.cgi?id=61743
--- Comment #4 from Chris Steipp <cste...@wikimedia.org> --- (In reply to Prateek Saxena from comment #3) > (In reply to Chris Steipp from comment #2) > > I'm mostly concerned about the $contentbox portion, since that is generated > > from user content. > > We are using .text() when placing the extract in the Popup[1]. Are there any > other measures that need to be taken? The other elements are being created > in jQuery (how the code convention link explains) No, .text() doesn't stop several attacks. For example: $i = $( "<div>asdf<script>alert(1)</script></div>" ); $o = $( "<div/>" ); $o.html( $i.text() ); You may be able to santize it with mw.html.escape, but I'm not entirely sure what markup you're trying to pass through. > > Yes, this part is fine. > > Alright! > > > > Is there a working version of this in labs somewhere that I can test with? > > Or can you list out what dependencies this has? I'm not able to get it > > working locally. > > There is a test instance[2] where the latest code lives. A couple of people > have had the same issue and I am not sure what is wrong. I'll talk to Yuvi > and resolve this. Are you using the vagrant role (popups) to set it up? As soon as I install it, ResourceLoader complains that it can't find the class ResourceLoaderSchemaModule. I'm not sure if that's a typo, or if you're pulling that in from another extension. > > [1] > https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FPopups/ > 2b021ef048aac6bfcbd0c1944bccc9ba2d7db040/resources%2Fext.popups.core.js#L53 > [2] http://chicken.wmflabs.org/wiki/TestNavPopUps -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
