Insert "<script>alert(1)</script>" in a label and when it's shown in the "In other languages" section, the script snippet is executed.
Version: master
Severity: normal
liangent | |
Aug 28 2013, 1:01 PM |
F11512: bug53472.diff | |
Nov 22 2014, 1:57 AM |
F11511: bug53472.diff | |
Nov 22 2014, 1:57 AM |
Insert "<script>alert(1)</script>" in a label and when it's shown in the "In other languages" section, the script snippet is executed.
Version: master
Severity: normal
Created attachment 13188
Bugfix for the issue
Another less serious (can only be exploited by admins) XSS is address too.
Attached:
Thanks Liangent! That looks like a reasonable fix. Let me do some testing on it, and we'll get it deployed asap.
Created attachment 13189
htmlspecialchars( Utils::fetchLanguageName( $language ) ) too
It looks better for me to htmlspecialchars( Utils::fetchLanguageName( $language ) ) too, though Utils::fetchLanguageName() has a fixed set of outputs currently.
Attached:
Reviewed and tested by Aude too. Deployed.
18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/Wikibase
18:35 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/Wikibase
I'll add into gerrit too.
Change 176610 had a related patch set (by Dereckson) published:
Extra language names configuration for Wikidata
Change 176610 had a related patch set uploaded (by Dereckson):
Extra language names configuration for Wikidata