https://bugzilla.wikimedia.org/show_bug.cgi?id=39883
Web browser: ---
Bug #: 39883
Summary: Adding base64-encoded HTML to a page's source code
allows HTML injection
Product: MediaWiki extensions
Version: unspecified
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: major
Priority: Unprioritized
Component: Widgets
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected], [email protected]
Classification: Unclassified
Mobile Platform: ---
The extension encodes the rendered HTML to base64 to avoid escape problems with
the parser and decodes it after the parser's work is done. But if someone adds
encoded HTML to the page's wikitext, it will decoded, too. This allows anyone
to inject all kinds of scripts. For example, adding
ENCODED_CONTENT
PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+
END_ENCODED_CONTENT
to the wikitext will execute the alert() javascript function with 'Hello, my
friend!'.
My idea is to add a random number after ENCODED_CONTENT to make the encoded
strings each time different. This could look like this:
ENCODED_CONTENT RAND=123456789
PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+
END_ENCODED_CONTENT
And only if the correct number is matched by the regular expression, the
encoded string should be decoded.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
