Almost forgot: this is https://bugzilla.wikimedia.org/show_bug.cgi?id=65042
On Wed, May 14, 2014 at 4:28 PM, Max Semenik <maxsem.w...@gmail.com> wrote: > During internal review, an XSS (cross-site scripting) vulnerability was > discovered in MobileFrontend extension. > Due to an unneeded unescaping of already sanitized section titles, HTML > inserted as plaintext into them was injected into DOM. > While on ordinary page views only users who have intentionally enabled > MobileFrontend's beta mode are in danger, it is possible to construct URLs > that enable beta for every user following them. Another requirement for > this vulnerability is screen witdth which must be at least 768 pixels. > > Affected versions include MobileFrontend for MediaWiki 1.23 (branch > REL1_23, still in release candidate phase) and 1.24 (master). If you are > running a 1.24 WMF branch earlier than wmf/1.24wmf3, please update to a > later branch. > > -- > Best regards, > Max Semenik ([[User:MaxSem]]) > -- Best regards, Max Semenik ([[User:MaxSem]]) _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l