Last modified: 2012-08-30 16:29:56 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T41735, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 39735 - WLMMobile: HTML injection in HTML templating system
WLMMobile: HTML injection in HTML templating system
Status: RESOLVED FIXED
Product: WikiLoves Monuments Mobile
Classification: Unclassified
General (Other open bugs)
unspecified
All All
: Highest blocker
: ---
Assigned To: Brion Vibber
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-28 15:10 UTC by Brion Vibber
Modified: 2012-08-30 16:29 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Brion Vibber 2012-08-28 15:10:53 UTC 
While testing the long filenames issue, I noticed that the super-long Belorussian monument name actually contains a literal "<br />" tag.

This is being output unescaped into the app's HTML document, appearing as a line break. This is an HTML injection vector which is at best fragile and at worst a security danger.

It looks like the <%= foo %> syntax in the template doesn't do any escaping... this should be fixed, or else explicit HTML escaping needs to be added to everything we output.
Comment 1 Arthur Richards 2012-08-29 17:37:13 UTC 
IMO this should be prioritized above all other outstanding issues and dealt with prior to launch.
Comment 2 Arthur Richards 2012-08-29 18:38:57 UTC 
Marking as blocker.
Comment 3 Brion Vibber 2012-08-30 13:35:08 UTC 
Per http://underscorejs.org/#template we should use <%- foo %> to get escaping. Nice!
Comment 4 Brion Vibber 2012-08-30 13:44:51 UTC 
https://github.com/wikimedia/WLMMobile/pull/217
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links