| Bawolff added a comment. |
In T182800#3834874, @Lucas_Werkmeister_WMDE wrote:Possible fix:
diff --git a/lib/includes/Formatters/AutoCommentFormatter.php b/lib/includes/Formatters/AutoCommentFormatter.php index 0c77d8762..b57ab5580 100644 --- a/lib/includes/Formatters/AutoCommentFormatter.php +++ b/lib/includes/Formatters/AutoCommentFormatter.php @@ -100,7 +100,7 @@ public function formatAutoComment( $auto ) { } // render the autocomment - $auto = $msg->params( $args )->parse(); + $auto = $msg->plaintextParams( $args )->parse(); return $auto; }But I have no idea if this breaks something else – it’s possible that some of the message parameters should be interpreted as Wikitext. (As far as I can tell, AutoCommentFormatter itself has no idea what the parameters mean – it just extracts the partial message key and the parameters from the edit summary and combines them. So it’s also possible that the escaping should happen before writing the username to the edit summary.)
@Bawolff if you think this is unlikely to be an XSS, perhaps you can make the task public and let the rest of the Wikidata team have a look? (I agree, FWIW, I just thought “better safe than sorry”.)
Made public.
Your proposed patch looks like it would fix the issue.
TASK DETAIL
EMAIL PREFERENCES
To: Bawolff
Cc: Bawolff, Lucas_Werkmeister_WMDE, Aklapper, Lahi, Gq86, GoranSMilovanovic, QZanden, HJiang-WMF, dpatrick, Luke081515, Wikidata-bugs, aude, GWicke, Stype_and_Co.-WMF, Jalexander, Parent5446, Anomie, Grunny, MaxSem, csteipp, Mbch331, Jay8g, Legoktm
Cc: Bawolff, Lucas_Werkmeister_WMDE, Aklapper, Lahi, Gq86, GoranSMilovanovic, QZanden, HJiang-WMF, dpatrick, Luke081515, Wikidata-bugs, aude, GWicke, Stype_and_Co.-WMF, Jalexander, Parent5446, Anomie, Grunny, MaxSem, csteipp, Mbch331, Jay8g, Legoktm
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
