Last modified: 2014-10-23 00:06:26 UTC
http://semantic-mediawiki.org/wiki/Special:Ask?eq=yes&order_num=ASC&p[default]=3&p[format]=broadtable&p[headers]=show&p[intro]=3&p[limit]='" ns= alert(0x012480) &p[link]=all&p[mainlabel]=3&p[offset]=0&p[outro]=3&po=3&q=3&sort_num=3&title=Special%3aAsk&p[limit]=" javascript=prompt(0) onclick=prompt(0) onmouseover=prompt(/XSSHERE/) onload=prompt(0) onfocus=prompt(0) ns=" The above url produces an alert box when you mouseover the formatSelector select box next to "Format as:"
Verified on wikitech too. Adding Ryan and Jeroen.
Issue is that Ex:SemanticMediaWiki is using Xml::escapeJsString() to escape $url parameters instead of rawurlencode. $url is then written directly into an element instead of using an Html/Xml builder, which also would have prevented breaking out of the attr.
Created attachment 12031 [details] Patch to rawurlencode parameters and use Html::openElement() Untested, but this should fix the issue. Not sure if it breaks the assumptions of the form processing (Jeroen would probably be the one to comment on that).
https://gerrit.wikimedia.org/r/#/c/57433/
Don’t think that will break anything - though who knows, sort of hard to tell with a pile of rotten code like Special:Ask :)
Hi Jeroen, in the future, please don't publicly post security patches to gerrit until we confirm that our systems are patched. Adding Niklas so he can patch twn.
Ok, sorry, was not aware of this process, or even that this bug was not public.
Merged by Jeroen
