Reedy has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391379 )
Change subject: SECURITY: Make anchor for headlines escape > and < ...................................................................... SECURITY: Make anchor for headlines escape > and < As a hardening step against language converter and its crazy regexes. Bug: T125163 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5 --- M RELEASE-NOTES-1.27 M includes/Linker.php 2 files changed, 9 insertions(+), 6 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/79/391379/1 diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 2f7a2e9..1fb2380 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -24,6 +24,7 @@ * (T128209) SECURITY: Reflected File Download from api.php. * (T134100) SECURITY: Do not reveal if user exists during login failure. * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/Linker.php b/includes/Linker.php index 5717fba..70488c5 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -1789,22 +1789,24 @@ * a space and ending with '>' * This *must* be at least '>' for no attribs * @param string $anchor The anchor to give the headline (the bit after the #) - * @param string $html Html for the text of the header + * @param string $html HTML for the text of the header * @param string $link HTML to add for the section edit link - * @param bool|string $legacyAnchor A second, optional anchor to give for + * @param string|bool $fallbackAnchor A second, optional anchor to give for * backward compatibility (false to omit) * * @return string HTML headline */ public static function makeHeadline( $level, $attribs, $anchor, $html, - $link, $legacyAnchor = false + $link, $fallbackAnchor = false ) { + $anchorEscaped = htmlspecialchars( $anchor ); $ret = "<h$level$attribs" - . "<span class=\"mw-headline\" id=\"$anchor\">$html</span>" + . "<span class=\"mw-headline\" id=\"$anchorEscaped\">$html</span>" . $link . "</h$level>"; - if ( $legacyAnchor !== false ) { - $ret = "<div id=\"$legacyAnchor\"></div>$ret"; + if ( $fallbackAnchor !== false && $fallbackAnchor !== $anchor ) { + $fallbackAnchor = htmlspecialchars( $fallbackAnchor ); + $ret = "<div id=\"$fallbackAnchor\"></div>$ret"; } return $ret; } -- To view, visit https://gerrit.wikimedia.org/r/391379 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_27 Gerrit-Owner: Reedy <re...@wikimedia.org> Gerrit-Reviewer: MaxSem <maxsem.w...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits