https://bugzilla.wikimedia.org/show_bug.cgi?id=19646
--- Comment #6 from Jack D. Pond <[email protected]> 2009-07-12 14:47:23 UTC --- (In reply to comment #3) > With $wgImgAuthDetails on, input filenames are being passed into HTML error > messages without validation or escaping; this is a script injection vuln. > wfMsgHTML() escapes the text of the message, then replaces in your parameters Ah, stupid me - disregard previous comment. Would this solve that problem (wherever used)? wfForbidden(wfMsgHTML('image_auth-accessdenied'),wfMsgHTML('image_auth-noread',htmlspecialchars($name))); -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
