and <

Reedy (Code Review) Tue, 14 Nov 2017 15:58:54 -0800

Reedy has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/391379 )


Change subject: SECURITY: Make anchor for headlines escape > and <
......................................................................

SECURITY: Make anchor for headlines escape > and <

As a hardening step against language converter and its crazy regexes.

Bug: T125163
Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
---
M RELEASE-NOTES-1.27
M includes/Linker.php
2 files changed, 9 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/79/391379/1

diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 2f7a2e9..1fb2380 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -24,6 +24,7 @@
 * (T128209) SECURITY: Reflected File Download from api.php.
 * (T134100) SECURITY: Do not reveal if user exists during login failure.
 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
+* (T125163) SECURITY: Make anchor for headlines escape > and <.
 
 == MediaWiki 1.27.3 ==
 Due to a packaging error, the wrong version of the SyntaxHighlight extension 
was
diff --git a/includes/Linker.php b/includes/Linker.php
index 5717fba..70488c5 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -1789,22 +1789,24 @@
         *   a space and ending with '>'
         *   This *must* be at least '>' for no attribs
         * @param string $anchor The anchor to give the headline (the bit after 
the #)
-        * @param string $html Html for the text of the header
+        * @param string $html HTML for the text of the header
         * @param string $link HTML to add for the section edit link
-        * @param bool|string $legacyAnchor A second, optional anchor to give 
for
+        * @param string|bool $fallbackAnchor A second, optional anchor to give 
for
         *   backward compatibility (false to omit)
         *
         * @return string HTML headline
         */
        public static function makeHeadline( $level, $attribs, $anchor, $html,
-               $link, $legacyAnchor = false
+               $link, $fallbackAnchor = false
        ) {
+               $anchorEscaped = htmlspecialchars( $anchor );
                $ret = "<h$level$attribs"
-                       . "<span class=\"mw-headline\" 
id=\"$anchor\">$html</span>"
+                       . "<span class=\"mw-headline\" 
id=\"$anchorEscaped\">$html</span>"
                        . $link
                        . "</h$level>";
-               if ( $legacyAnchor !== false ) {
-                       $ret = "<div id=\"$legacyAnchor\"></div>$ret";
+               if ( $fallbackAnchor !== false && $fallbackAnchor !== $anchor ) 
{
+                       $fallbackAnchor = htmlspecialchars( $fallbackAnchor );
+                       $ret = "<div id=\"$fallbackAnchor\"></div>$ret";
                }
                return $ret;
        }

-- 
To view, visit https://gerrit.wikimedia.org/r/391379
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_27
Gerrit-Owner: Reedy <re...@wikimedia.org>
Gerrit-Reviewer: MaxSem <maxsem.w...@gmail.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Make anchor for headlines escape > and <

Reply via email to