Author: masatokinugawa
Description:
bug 28235's patch is still vulnerable.
Version: 1.16.x
Severity: normal
URL: http://www.mediawiki.org/w/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(1)%3E.html?
Author: masatokinugawa
Description:
bug 28235's patch is still vulnerable.
Version: 1.16.x
Severity: normal
URL: http://www.mediawiki.org/w/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(1)%3E.html?
Thanks for that, another fix will be released in 1.16.4.
I had Roan Kattouw help me review and test the patch this time, so hopefully we've got it nailed down.
EN.WP.ST47 wrote:
No XSS when I click the link, so it works in 1.17-wmfwhatever. Closing fixed by Tim.