Author: phorgo
Description:
The extension encodes the rendered HTML to base64 to avoid escape problems with the parser and decodes it after the parser's work is done. But if someone adds encoded HTML to the page's wikitext, it will decoded, too. This allows anyone to inject all kinds of scripts. For example, adding
ENCODED_CONTENT PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
to the wikitext will execute the alert() javascript function with 'Hello, my friend!'.
My idea is to add a random number after ENCODED_CONTENT to make the encoded strings each time different. This could look like this:
ENCODED_CONTENT RAND=123456789 PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
And only if the correct number is matched by the regular expression, the encoded string should be decoded.
Version: unspecified
Severity: major