On 6/13/2010 8:22 PM, Tim Starling wrote: > On 14/06/10 10:40, Vadtec wrote: > Yes it's safe, as long as there are no unsafe extensions, $wgRawHtml > is false, and you have the latest version of MediaWiki. Or to put it > another way, if there was an XSS vulnerability in it, there would be > one in the ordinary editing interface too. > > Note that wikitext markup is allowed, so it's often best to call > wfEscapeWikiText() on user input that you pass to recursiveTagParse() > to avoid unintended formatting. > > The output of a tag hook is HTML and needs to be escaped. For example > this: > > return "<div class=\"$args['class']\">" . > $parser->recursiveTagParse( $args['text'] ) . "</div>"; > > is an XSS vulnerability. But this: > > return Xml::openElement( 'div', array( 'class' => $args['class'] ) ) . > $parser->recursiveTagParse( $args['text'] ) . "</div>"; > > is not. > > -- Tim Starling
So I should be ok doing: return $parser->recursiveTagParse( htmlspecialchars($text) ); Thanks for the info. I figured it wasn't XSS safe, thus I erred on the side of caution. - Vadtec
signature.asc
Description: OpenPGP digital signature
_______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
