On Mon, Jan 16, 2012 at 7:22 PM, Jeroen De Dauw<jeroended...@gmail.com> wrote:
Do we trust that messages do not have evil (XSS) stuff in them?
MediaWiki will sanitize tags it does not recognize. Unless you find a
flaw in the sanitizer, you can't put a working <script> in a message string.
On 1/22/12 10:26 PM, Roan Kattouw wrote:
jQueryMsg doesn't really do this very well just yet, that's an issue
with jQueryMsg.
It already does escaping, it just trusts jQuery to do it. So a string
that doesn't "look" like HTML is already escaped just fine. But if it
does look like HTML, for convenience' sake, it gets turned into jQuery.
Since it's a frontend library, we have a lot less to worry about. The
one case I see is when we have non-sanitized, user-contributed data,
that we got from the server, used in HTML parameters. Like, someone
saying their first name is '<script src="evil.js"></script>'.
The whole point of the library is to allow you to pass in jQuery objects
into a message. But, we could make that safer:
1 - Right now, the library allows you to pass HTML in a string, as a
convenience. We could instead make it that all strings are assumed to be
Just Strings, and escape them on the way in. So you couldn't use
'<b>foo</b>' as a parameter, you'd have to declare your intention that
it should be HTML by passing a real jQuery object. This may break old
code in a few places, but not many.
2 - We could ensure that the message library never emits scripts, by
applying a simple jQuery filter to the final result.
--
Neil Kandalgaonkar <ne...@wikimedia.org>
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
