Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f9eddcaf98287f34656c442729d52b77fe28b714
https://github.com/WebKit/WebKit/commit/f9eddcaf98287f34656c442729d52b77fe28b714
Author: Ling Ho <[email protected]>
Date: 2026-06-30 (Tue, 30 Jun 2026)
Changed paths:
M Websites/bugs.webkit.org/extensions/Commits/Extension.pm
Log Message:
-----------
Stored XSS on bugs.webkit.org in Commits extension; fix guidance (escape
captured groups; optionally tighten \S+)
https://bugs.webkit.org/show_bug.cgi?id=317709
rdar://180318956
Reviewed by Stephanie Lewis.
Escape matched text in Commits extension link generation
_replace_reference interpolated matched comment text into an <a> tag
without HTML-encoding it. Because bug_format_comment regexes run before
html_quote in Bugzilla::Template::quoteUrls and their return values are
reinserted after escaping, that text reached the page unescaped (core
avoids this by calling html_quote itself).
Fix: run both captured groups through Bugzilla::Util::html_quote before
interpolation (primary fix), and narrow the two \S+ matchers to the
legal commit-identifier charset [A-Za-z0-9._/-]+ as defense in depth.
* Websites/bugs.webkit.org/extensions/Commits/Extension.pm:
(bug_format_comment):
(_replace_reference):
Canonical link: https://commits.webkit.org/316170@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications