Maniphest T19600

Toolbar: User input to UniWiki toolbar injected into javascript without being sanitized -- possible XSS vector.
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Feb 21 2009, 7:28 PM

Description

Author: robert

Description:
In various places within the Uniwiki Custom Toolbar extension, user-supplied text (either from within pages, messages, or POST\GET data) is injected in to JavaScript without sanitization - this poses a possible security vulnerability and would likely cause the extension to malfunction if a quotation mark were included in any of the pieces of text.

The following lines in CustomToolbar.php are possibly affected: 152, 159, 166, 331, 332, and 333.

Version: unspecified
Severity: major
Whiteboard: extension[unmaintained]

Details

Reference: bz17600

Event Timeline

• bzimport raised the priority of this task from to Low.Nov 21 2014, 10:34 PM

• bzimport added a project: MediaWiki-extensions-Uniwiki.

• bzimport set Reference to bz17600.

• bzimport added a subscriber: Unknown Object (MLST).

• bzimport created this task.Feb 21 2009, 7:28 PM

Clarified bug summary so I don't get scared when I see it.

According to one of its developer (Mark), Uniwiki extensions for MediaWiki are not under active development anymore "and it is safe to declare them obsolete/wontfix."

It is unlikely that there will be any further active development.

Closing this report as WONTFIX as part of Bugzilla Housekeeping and adding the whitespace entry "extension[unmaintained]". Please feel free to reopen this bug report in the future if anyone takes the responsibility for active development again.

Toolbar: User input to UniWiki toolbar injected into javascript without being sanitized -- possible XSS vector.Closed, DeclinedPublicActions

Description

Details

Event Timeline

Toolbar: User input to UniWiki toolbar injected into javascript without being sanitized -- possible XSS vector.
Closed, DeclinedPublic
Actions