User "Pgehres (WMF)" posted a comment on MediaWiki.r99802.
Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/99802#c25215
Commit summary:
Intial commit of Extension:FundraiserLandingPage
Comment:
Special pages are uncached by default.
Normally, only people with user accounts can edit template parameters.
The extension makes it so that template parameters can come from URLs,
so anyone who can write a URL can edit template parameters. This could
lead to an XSS vulnerability if the template is constructed in a
particular way. For example, if you had:
<a href="{{{target}}}">Click here</a>
Then a URL with a target parameter could cause arbitrary JavaScript to
be executed when the link is clicked, using a target starting with
"javascript:". The escaping that the extension does doesn't help in
this particular context. If a logged-in user can be tricked into
clicking such a link, their user account could be compromised by the
attacker who constructed the URL.
-- Tim Starling
_______________________________________________
MediaWiki-CodeReview mailing list
mediawiki-coderev...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
