Thank you. I thought $language and $project wouldn't need escaping because their values are known: $project can only be one of wikipedia, wikisource, ... and $language only one of http://noc.wikimedia.org/conf/langlist
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page. 2011/12/20 Roan Kattouw <[email protected]> > On Sun, Dec 18, 2011 at 4:06 PM, Robin Pepermans <[email protected]> > wrote: > > So I would like to ask if someone can review & deploy this (Commits are > > here: > > > https://www.mediawiki.org/wiki/Special:Code/MediaWiki?path=/trunk/tools/web-scripts/missing.phpbut > > it may be easier to just review current trunk version). That would be > > great :) > > > I've simplified the code a bit in r106818 and added escaping (there > wasn't any, so there were multiple XSS vulnerabilities) in r106819 and > r106822. > > The only remaining issue I see is that the script assumes the > requested URL will be something like > http://foobar.wikipedia.org/wiki/Bazquux , while it might legitimately > be /w/index.php?.... or /w/api.php or whatever. These cases should be > handled in some way. We may not be able to redirect to the incubator > intelligently in these cases so we may have to fall back to the error > page, but we should at least detect this case rather than pretending > it doesn't exist. > > Roan > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
