Page MenuHomePhabricator
Create Task
Maniphest T55472

[WikibaseRepo] XSS: Labels shown in "In other languages" section of entity view are not escaped
Closed, ResolvedPublic
Actions

Description

Insert "<script>alert(1)</script>" in a label and when it's shown in the "In other languages" section, the script snippet is executed.

Version: master
Severity: normal

Details

Reference
bz53472

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:57 AM
bzimport added a project: MediaWiki-extensions-WikibaseRepository.
bzimport set Reference to bz53472.
bzimport added a subscriber: Unknown Object (MLST).
liangent created this task.Aug 28 2013, 1:01 PM
liangent added a comment.Aug 28 2013, 1:15 PM

Created attachment 13188
Bugfix for the issue

Another less serious (can only be exploited by admins) XSS is address too.

Attached:

bug53472.diff1 KBDownload

csteipp added a comment.Aug 28 2013, 2:35 PM

Thanks Liangent! That looks like a reasonable fix. Let me do some testing on it, and we'll get it deployed asap.

liangent added a comment.Aug 28 2013, 4:12 PM

Created attachment 13189
htmlspecialchars( Utils::fetchLanguageName( $language ) ) too

It looks better for me to htmlspecialchars( Utils::fetchLanguageName( $language ) ) too, though Utils::fetchLanguageName() has a fixed set of outputs currently.

Attached:

bug53472.diff1 KBDownload

csteipp added a comment.Aug 28 2013, 6:37 PM

Reviewed and tested by Aude too. Deployed.

18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/Wikibase
18:35 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/Wikibase

I'll add into gerrit too.

liangent added a comment.Aug 28 2013, 8:09 PM

I can confirm this is fixed live.

Abraham added a comment.Sep 4 2013, 1:28 PM

Verified in Wikidata demo time

csteipp added a comment.Sep 5 2013, 5:05 PM

This was assigned CVE-2013-4307

gerritbot added a project: Patch-For-Review.Nov 30 2014, 10:21 PM

Change 176610 had a related patch set (by Dereckson) published:
Extra language names configuration for Wikidata

https://gerrit.wikimedia.org/r/176610

Patch-For-Review

gerritbot added a comment.Nov 30 2014, 11:23 PM

Change 176610 had a related patch set uploaded (by Dereckson):
Extra language names configuration for Wikidata

https://gerrit.wikimedia.org/r/176610

Patch-For-Review

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptFeb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL