https://bugzilla.wikimedia.org/show_bug.cgi?id=32160
Web browser: ---
Bug #: 32160
Summary: MobileFrontend search suggestions formatting looks
like it's full of XSS/HTML injection vectors
Product: MediaWiki extensions
Version: any
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: MobileFrontend
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected], [email protected]
Classification: Unclassified
This seems rather frightening...
html = html + "<div class=\"suggestions-result\" rel=\"" + rel +
"\" title=\"" + section.label + "\"><a class=\"sq-val-update\"
href=\"javascript:sqValUpdate('" + section.label + "');\">+</a><a
class=\"search-result-item\" href='" + section.value + "'>" + section.label +
"</a></div>";
There's no HTML escaping on strings being placed into HTML output, nor any
JavaScript escaping of strings being placed into JavaScript source code (which
itself is being placed in HTML output).
Page titles can contain ", ', and things like onclick="blah blah" so you really
need to be escaping your output before little bobby tables comes to play...
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
