mw.Api.js

neilk Wed, 22 Jun 2011 23:19:12 -0700

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/90649


Revision: 90649
Author:   neilk
Date:     2011-06-23 06:19:03 +0000 (Thu, 23 Jun 2011)
Log Message:
-----------
encode periods in API arguments. There are now countermeasures in MediaWiki to 
possible XSS exploits that reject unencoded periods in the query args, so avoid 
triggering that.

Modified Paths:
--------------
    trunk/extensions/UploadWizard/resources/mw.Api.js

Modified: trunk/extensions/UploadWizard/resources/mw.Api.js
===================================================================
--- trunk/extensions/UploadWizard/resources/mw.Api.js   2011-06-23 06:12:34 UTC 
(rev 90648)
+++ trunk/extensions/UploadWizard/resources/mw.Api.js   2011-06-23 06:19:03 UTC 
(rev 90649)
@@ -122,7 +122,11 @@
                ajax: function( parameters, ajaxOptions ) {
                        parameters = $j.extend( {}, this.defaults.parameters, 
parameters );
                        ajaxOptions = $j.extend( {}, this.defaults.ajax, 
ajaxOptions );
-                       ajaxOptions.data = parameters;
+
+                       // Some deployed MediaWiki >= 1.17 forbid periods in 
URLs, due to an IE XSS bug
+                       // So let's escape them here. See bug #28235
+                       // This works because jQuery accepts data as a query 
string or as an Object
+                       ajaxOptions.data = $j.param( parameters ).replace( 
/\./g, '%2E' );
                
                        ajaxOptions.error = function( xhr, textStatus, 
exception ) {
                                ajaxOptions.err( 'http', { xhr: xhr, 
textStatus: textStatus, exception: exception } );


_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

[MediaWiki-CVS] SVN: [90649] trunk/extensions/UploadWizard/resources/mw.Api.js

Reply via email to