Version: unspecified
Severity: major
Description
Details
- Reference
- bz29094
Event Timeline
The confirmedit extension is not catching urls that are added to pages within html tags. If a user enters a url within an "<a" tag for example, the captcha will not trigger.
It doesn't look like wikinews' sanitizer allows "a" tags to be entered. The wiki on which this was found, does allow "a" tags. Is there a wikimedia foundation installation out there somewhere that would allow them, where we could test?
(In reply to comment #4)
It doesn't look like wikinews' sanitizer allows "a" tags to be entered. The
wiki on which this was found, does allow "a" tags. Is there a wikimedia
foundation installation out there somewhere that would allow them, where we
could test?
I thought you meant adding a <a> tag without it being interpreted.
I didn't think it was possible to configure mediawiki to allow <a> tags (Not counting if you enable $wgRawHtml, but if you have that on, and are worried about spam, you have _much_ bigger problems).
Can you describe exactly how the wiki in question is configured to allow <a> tags?
Note, guessing that your wiki is http://tmbw.net (based on your name), it looks as if most of the sanitizer code has been disabled, which has significant security implications...
As for the actual bug, since MediaWiki is not designed to allow <a> tags, I'm not sure if its a bug that the extension doesn't work with <a> tags.
Resolving INVALID -- the wiki being discussed appears to have disabled all of MediaWiki's security protections and is emitting unsanitized HTML. This allows cross-site scripting attacks of all sorts and is not something that MediaWiki allows, recommends, or supports.