Ricordisamoa added a project: Vuln-XSS. Ricordisamoa added a comment. Actually this reveals a serious XSS vulnerability. Even unregistered users could run arbitrary JavaScript code like this <//www.wikidata.org/wiki/?diff=236578780> on behalf of whoever clicked on the gadget's tab, for example triggering edits like this one <//www.wikidata.org/wiki/?diff=236578814>. With 250 characters for each label/description/alias, I guess there would have been plenty of space to make an admin block all of their colleagues.
TASK DETAIL https://phabricator.wikimedia.org/T106673 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Ricordisamoa Cc: Ricordisamoa, Aklapper, Sjoerddebruin, Mbch331, Wikidata-bugs, aude, Malyacko, P.Copp _______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs