https://bugzilla.wikimedia.org/show_bug.cgi?id=61743

Chris Steipp <cste...@wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Chris Steipp <cste...@wikimedia.org> ---
(In reply to Chris Steipp from comment #5)
> Sorry, I should have looked at your reference first. Yeah, setting the text
> like that should work for that case. I'm digging through the TextExtracts
> section to make sure it can't return anything else dangerous.

Ok, it should be fine as is. It would be helpful for you to document around the
lines where you do .text( page.extract ) and .html( $box.html() ) what the
expectations are, so that someone doesn't change those in the future and open
up an issue.

(In reply to Prateek Saxena from comment #1)
> 3. There is an i18n string if the page redirects, it needs to read like
> "redirects to OtherPage". As in certain languages it could be "OtherPageā€¦"
> and not "ā€¦OtherPage", Mark suggested that I add a $1 to it [2]. As I need
> those elements to be styled a certain way, the i18n strings will end up
> having an <h3> and thus my code looks something like this
> 
>     $( '<div>' ).html( mw.message( 'popups-redirects', redirects[ 0 ].to
> ).text() );
> 
> I am not sure if this is safe.

The title should be fine, due to the page naming rules. If the message contains
scripts, that would cause an issue, but we accept that risk in many places in
MediaWiki, so this isn't much different.


So in general, as if 2b021ef, this extension looks ok for security. Ori should
review it for performance next.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to