--- Comment #4 from Chris Steipp <> ---
(In reply to Prateek Saxena from comment #3)
> (In reply to Chris Steipp from comment #2)
> > I'm mostly concerned about the $contentbox portion, since that is generated 
> > from user content.
> We are using .text() when placing the extract in the Popup[1]. Are there any
> other measures that need to be taken? The other elements are being created
> in jQuery (how the code convention link explains)

No, .text() doesn't stop several attacks. For example:
$i = $( "<div>asdf&lt;script&gt;alert(1)&lt;/script&gt</div>" );
$o = $( "<div/>" );
$o.html( $i.text() );

You may be able to santize it with mw.html.escape, but I'm not entirely sure
what markup you're trying to pass through.

> > Yes, this part is fine.
> Alright!
> > Is there a working version of this in labs somewhere that I can test with?
> > Or can you list out what dependencies this has? I'm not able to get it
> > working locally.
> There is a test instance[2] where the latest code lives. A couple of people
> have had the same issue and I am not sure what is wrong. I'll talk to Yuvi
> and resolve this. Are you using the vagrant role (popups) to set it up?

As soon as I install it, ResourceLoader complains that it can't find the class
ResourceLoaderSchemaModule. I'm not sure if that's a typo, or if you're pulling
that in from another extension.

> [1]
> 2b021ef048aac6bfcbd0c1944bccc9ba2d7db040/resources%2Fext.popups.core.js#L53
> [2]

You are receiving this mail because:
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to