https://bugzilla.wikimedia.org/show_bug.cgi?id=61743
--- Comment #5 from Chris Steipp <cste...@wikimedia.org> --- (In reply to Chris Steipp from comment #4) > > We are using .text() when placing the extract in the Popup[1]. Are there any > > other measures that need to be taken? The other elements are being created > > in jQuery (how the code convention link explains) > > No, .text() doesn't stop several attacks. For example: > $i = $( "<div>asdf<script>alert(1)</script></div>" ); > $o = $( "<div/>" ); > $o.html( $i.text() ); > > You may be able to santize it with mw.html.escape, but I'm not entirely sure > what markup you're trying to pass through. Sorry, I should have looked at your reference first. Yeah, setting the text like that should work for that case. I'm digging through the TextExtracts section to make sure it can't return anything else dangerous. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
