Last modified: 2013-06-09 07:16:31 UTC
GuidedTour can add on-wiki tours (which are JavaScript files in the MW namespace) to pages where user JS is not supposed to be allowed. I have a fix locally, which I'll upload shortly as a patch (I can do a Gerrit draft if that's secure too).
Created attachment 12467 [details] Patch to fix issue
Hi Matt, Please keep it out of gerrit for now. We'll most likely patch the cluster first, and then put it into gerrit.
I did this during the E3 deployment in the GuidedTour directories. However, it disappeared, because I forgot to also do a local SECURITY commit bumping the submodule. I checked that it's still deployed, though. So I did the local submodule bump to mediawiki (both directories again), and it should be correct now. Let me know when we can make this public.
Since our next security release is a couple weeks out, and it's patched on the cluster, it probably best to just commit it in gerrit and communicate to your users that they should update. I'm not sure how much it's used outside the WMF, so you may not need to do much. Once it's merged, feel free to close this bug and make move it to the MediaWiki Extensions Product so it will be public.
Merged to master.