[MediaWiki-commits] [Gerrit] Preventing replacing of templates - change (mediawiki...Wikibase)

[Daniel Werner (Code Review)]

Daniel Werner has submitted this change and it was merged.

Change subject: Preventing replacing of templates
......................................................................


Preventing replacing of templates

(bug 48567)

Change-Id: Ib5d4bf053e53cd51359624899e494ac116e6122a
---
M lib/WikibaseLib.php
M repo/includes/actions/ViewEntityAction.php
M repo/tests/selenium/item/security_spec.rb
3 files changed, 24 insertions(+), 2 deletions(-)

Approvals:
  Daniel Werner: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/lib/WikibaseLib.php b/lib/WikibaseLib.php
index 5a9fc13..a629888 100644
--- a/lib/WikibaseLib.php
+++ b/lib/WikibaseLib.php
@@ -161,7 +161,9 @@
                }
 
                $template = new \Wikibase\Template( 
\Wikibase\TemplateRegistry::singleton(), $key, $params );
-               return $template->text();
+
+               // Use plain() to prevent replacing {{...}}:
+               return $template->plain();
        }
 
        // Resource Loader Modules:
diff --git a/repo/includes/actions/ViewEntityAction.php 
b/repo/includes/actions/ViewEntityAction.php
index 7482534..902b224 100644
--- a/repo/includes/actions/ViewEntityAction.php
+++ b/repo/includes/actions/ViewEntityAction.php
@@ -226,7 +226,8 @@
                                )
                        );
                } else {
-                       $this->getOutput()->setHTMLTitle( $this->msg( 
'pagetitle' )->params( $labelText ) );
+                       // Prevent replacing {{...}} by using rawParams() 
instead of params():
+                       $this->getOutput()->setHTMLTitle( $this->msg( 
'pagetitle' )->rawParams( $labelText ) );
                }
        }
 
diff --git a/repo/tests/selenium/item/security_spec.rb 
b/repo/tests/selenium/item/security_spec.rb
index 57dc674..1260ee6 100644
--- a/repo/tests/selenium/item/security_spec.rb
+++ b/repo/tests/selenium/item/security_spec.rb
@@ -9,6 +9,7 @@
 require 'spec_helper'
 
 dangerous_text = "<script>$('body').empty();</script>"
+template_text = "{{Template:Foo}}"
 
 describe "Check for security issues" do
   before :all do
@@ -68,6 +69,8 @@
         page.entityLabelSpan.should == dangerous_text
         @browser.refresh
         page.firstHeading?.should be_true
+        # Reset property label to prevent conflicts in repeated test runs:
+        page.change_label(generate_random_string(10))
       end
     end
     it "should check if no JS injection is possible for property descriptions" 
do
@@ -98,6 +101,22 @@
       end
     end
   end
+  context "Template replacement prevention" do
+    it "should check if templates {{...}} are not replaced" do
+      visit_page(CreateItemPage) do |page|
+        page.create_new_item(generate_random_string(10), 
generate_random_string(20))
+      end
+      on_page(ItemPage) do |page|
+        page.navigate_to_item
+        page.wait_for_entity_to_load
+        page.change_label(template_text)
+        page.entityLabelSpan.should == template_text
+        @browser.refresh
+        page.entityLabelSpan.should == template_text
+        @browser.title.include?(template_text).should be_true
+      end
+    end
+  end
   after :all do
     # tear down
   end

-- 
To view, visit https://gerrit.wikimedia.org/r/72499
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ib5d4bf053e53cd51359624899e494ac116e6122a
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Wikibase
Gerrit-Branch: master
Gerrit-Owner: Henning Snater <henning.sna...@wikimedia.de>
Gerrit-Reviewer: Daniel Werner <daniel.wer...@wikimedia.de>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits