Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f9eddcaf98287f34656c442729d52b77fe28b714
      
https://github.com/WebKit/WebKit/commit/f9eddcaf98287f34656c442729d52b77fe28b714
  Author: Ling Ho <[email protected]>
  Date:   2026-06-30 (Tue, 30 Jun 2026)

  Changed paths:
    M Websites/bugs.webkit.org/extensions/Commits/Extension.pm

  Log Message:
  -----------
  Stored XSS on bugs.webkit.org in Commits extension; fix guidance (escape 
captured groups; optionally tighten \S+)
https://bugs.webkit.org/show_bug.cgi?id=317709
rdar://180318956

Reviewed by Stephanie Lewis.

Escape matched text in Commits extension link generation

_replace_reference interpolated matched comment text into an <a> tag
without HTML-encoding it. Because bug_format_comment regexes run before
html_quote in Bugzilla::Template::quoteUrls and their return values are
reinserted after escaping, that text reached the page unescaped (core
avoids this by calling html_quote itself).

Fix: run both captured groups through Bugzilla::Util::html_quote before
interpolation (primary fix), and narrow the two \S+ matchers to the
legal commit-identifier charset [A-Za-z0-9._/-]+ as defense in depth.

* Websites/bugs.webkit.org/extensions/Commits/Extension.pm:
(bug_format_comment):
(_replace_reference):

Canonical link: https://commits.webkit.org/316170@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to