Last modified: 2012-08-31 05:14:42 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T41762, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 39762 - XSS issue in image syntax
XSS issue in image syntax
Status: RESOLVED DUPLICATE of bug 39700
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
1.19.1
All All
: Unprioritized normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-29 09:03 UTC by Niklas Laxström
Modified: 2012-08-31 05:14 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Niklas Laxström 2012-08-29 09:03:27 UTC 
Reported in #wikimedia-tech and to me privately in IRC, there is an XSS issue image syntax, for example:

[[File:Somethingrandaom.jpg|<a href=hello.jpg width=100>aa</a>]]

I submitted a draft fix at https://gerrit.wikimedia.org/r/#/c/21863/ (Added Tim and Chris as reviewers).

Made local changes to wmf9 and wmf10 and deployed them.

Seems to be introduced in early 2012 in 472c3267.
Comment 1 Tim Starling 2012-08-29 09:27:08 UTC 

*** This bug has been marked as a duplicate of bug 39700 ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links