Template inclusion circumvents JavaScript filtering
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Jun 3 2005, 12:00 PM

Description

Author: JoostMeerten

Description:
By including a template inside a style directive, arbitrary HTML attributes can
be injected after the style. This allows, among other things, the use of
malicious JavaScript. See the URL for an example.

Version: 1.4.x
Severity: normal
URL: http://en.wikipedia.org/wiki/User:JRM/Sandbox

Details

Reference: bz2304

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 8:34 PM

• bzimport added projects: MediaWiki-Parser, Parser.

• bzimport set Reference to bz2304.

• bzimport added a subscriber: Unknown Object (MLST).

• bzimport created this task.Jun 3 2005, 12:00 PM

Fixed in 1.3.13, 1.4.5, and 1.5alpha2.

JoostMeerten wrote:

(In reply to comment #1)

Fixed in 1.3.13, 1.4.5, and 1.5alpha2.

If [[Special:Version]] on the en.wikipedia reports MW 1.4.5, then why is this
still working?

Your client-side cache?

JoostMeerten wrote:

No, but NM. Works now.

This bug fix might have broken the reference templates; see
http://en.wikipedia.org/wiki/Wikipedia_talk:Featured_article_candidates#Extremely_important_problem.21
and http://en.wikipedia.org/wiki/User_talk:Raul654#Reference_templates

mapellegrini wrote:

I've gone ahead and re-opened this.

That's bug 2309. Re-closing this bug.

matmarex added a project: JavaScript.Dec 21 2014, 7:07 PM

Template inclusion circumvents JavaScript filteringClosed, ResolvedPublicActions

Description

Details

Event Timeline

Template inclusion circumvents JavaScript filtering
Closed, ResolvedPublic
Actions