https://bugzilla.wikimedia.org/show_bug.cgi?id=73156
Bug ID: 73156
Summary: Security review of OOjs php
Product: Wikimedia
Version: wmf-deployment
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: Extension setup
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected]
Web browser: ---
Mobile Platform: ---
Nothing too concerning with what you're doing. Security is roughly the same as
using Html/Xml classes at this point.
The only thing I'd really like to see changed is in
php/widgets/InputWidget.php, the "sanitizeValue" function doesn't do any
(security) sanitization, which I think that could cause confusion later on. If
the name can't be changed, maybe make the comments explicit that it's not
security sanitization?
It would also be nice to have some extra sanitization built in from the start,
which we can't do in the Html/Xml classes since they're abused in odd ways, but
have bitten some developers (SemanticForms had bunch of issues because they
assumed these happened):
* Validate tag name will be parsed in html as a single tag name-- so doesn't
contain whitespace, /, >, or null.
* Validate attribute names don't contain whitespace, /, =, >
* Validate that form actions and button hrefs aren't javascript: urls
There are also a couple of places you're adding style attributes directly. Is
it possible to avoid that? My long-term plan is to have MediaWiki set a Content
Security Policy that doesn't allow inline css, so I'd prefer to not introduce
new uses of it, if possible.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
