[MediaWiki-commits] [Gerrit] renderer.article: Ignore thumnail if the URL has suspicious ... - change (mediawiki...Popups)

Thu, 26 Mar 2015 03:33:56 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: renderer.article: Ignore thumnail if the URL has suspicious 
characters
......................................................................


renderer.article: Ignore thumnail if the URL has suspicious characters

If the URL of the thumbnail has suspicious characters like ', " or \
return a <span> instead of trying to render a thumbnail.

Bug: T88171
Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302
---
M resources/ext.popups.renderer.article.js
1 file changed, 9 insertions(+), 2 deletions(-)

Approvals:
  CSteipp: Looks good to me, but someone else must approve
  Werdna: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/resources/ext.popups.renderer.article.js 
b/resources/ext.popups.renderer.article.js
index 728606b..0204577 100644
--- a/resources/ext.popups.renderer.article.js
+++ b/resources/ext.popups.renderer.article.js
@@ -249,11 +249,18 @@
                var svg = mw.popups.supportsSVG;
 
                if (
-                       !thumbnail || // No thumbnail
+                       // No thumbnail
+                       !thumbnail ||
                        // Image too small for landscape display
                        ( !tall && thumbnail.width < 
article.SIZES.landscapeImage.w ) ||
                        // Image too small for protrait display
-                       ( tall && thumbnail.height < 
article.SIZES.portraitImage.h )
+                       ( tall && thumbnail.height < 
article.SIZES.portraitImage.h ) ||
+                       // These characters in URL that could inject CSS and 
thus JS
+                       (
+                               thumbnail.source.indexOf( '\\' ) > -1 ||
+                               thumbnail.source.indexOf( '\'' ) > -1 ||
+                               thumbnail.source.indexOf( '\"' ) > -1
+                       )
                ) {
                        return $( '<span>' );
                }

-- 
To view, visit https://gerrit.wikimedia.org/r/199211
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Popups
Gerrit-Branch: master
Gerrit-Owner: Prtksxna <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Prtksxna <[email protected]>
Gerrit-Reviewer: Werdna <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to