Reported by Mateusz Goik. The example.php script is writing out PHP_SELF unfiltered, so this should be an XSS, although I'm not able to reproduce it on enwiki or my local dev environment. I think apache is rewriting things enough to prevent it. But we should still fix it asap.
Hi,
XSS in extensions/SyntaxHighlight_GeSHi/geshi/contrib/example.php
PoC:
http://localhost/wiki/extensions/SyntaxHighlight_GeSHi/geshi/contrib/example.php/"><img
src="asd" onerror="alert(1);">
HTML:
"<form action=""><img onerror="alert(1);" src="asd">" method="post">
<h3>Source to highlight</h3>
<p>
<textarea id="source" name="source" cols="60" rows="10"></textarea>
</p>
<h3>Choose a language</h3>
<p>"
Version: master
Severity: normal