Bawolff added a comment.

Possible fix:

diff --git a/lib/includes/Formatters/AutoCommentFormatter.php b/lib/includes/Formatters/AutoCommentFormatter.php
index 0c77d8762..b57ab5580 100644
--- a/lib/includes/Formatters/AutoCommentFormatter.php
+++ b/lib/includes/Formatters/AutoCommentFormatter.php
@@ -100,7 +100,7 @@ public function formatAutoComment( $auto ) {
 		}
 
 		// render the autocomment
-		$auto = $msg->params( $args )->parse();
+		$auto = $msg->plaintextParams( $args )->parse();
 		return $auto;
 	}

But I have no idea if this breaks something else – it’s possible that some of the message parameters should be interpreted as Wikitext. (As far as I can tell, AutoCommentFormatter itself has no idea what the parameters mean – it just extracts the partial message key and the parameters from the edit summary and combines them. So it’s also possible that the escaping should happen before writing the username to the edit summary.)

@Bawolff if you think this is unlikely to be an XSS, perhaps you can make the task public and let the rest of the Wikidata team have a look? (I agree, FWIW, I just thought “better safe than sorry”.)

Made public.

Your proposed patch looks like it would fix the issue.


TASK DETAIL
https://phabricator.wikimedia.org/T182800

EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Bawolff
Cc: Bawolff, Lucas_Werkmeister_WMDE, Aklapper, Lahi, Gq86, GoranSMilovanovic, QZanden, HJiang-WMF, dpatrick, Luke081515, Wikidata-bugs, aude, GWicke, Stype_and_Co.-WMF, Jalexander, Parent5446, Anomie, Grunny, MaxSem, csteipp, Mbch331, Jay8g, Legoktm
_______________________________________________
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

Reply via email to