Most of the time we assume that writing code like: wfMessage( 'foo' )->params( $this->getRequest()->getVal( 'bar' ) )->parse();
is totally safe. However, in a wiki with $wgRawHTML = true; this code would be an XSS. I've looked through core, and couldn't find any examples of using unsanitized url parameters as a message parameter in a parsed message, however it seems to me like this sort of thing is an accident waiting to happen. I would like to propose that $wgRawHTML only apply to actual pages. The <html> parser tag should not be active in wfMessage() or other parser contexts. I don't think this would break anything, but I'd like feedback on if anyone could think of anything this could break. For more information see https://phabricator.wikimedia.org/T156184 . Please post any feedback about this idea on that bug. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
