Last modified: 2013-09-05 17:05:28 UTC
Insert "<script>alert(1)</script>" in a label and when it's shown in the "In other languages" section, the script snippet is executed.
Created attachment 13188 [details] Bugfix for the issue Another less serious (can only be exploited by admins) XSS is address too.
Thanks Liangent! That looks like a reasonable fix. Let me do some testing on it, and we'll get it deployed asap.
Created attachment 13189 [details] htmlspecialchars( Utils::fetchLanguageName( $language ) ) too It looks better for me to htmlspecialchars( Utils::fetchLanguageName( $language ) ) too, though Utils::fetchLanguageName() has a fixed set of outputs currently.
Reviewed and tested by Aude too. Deployed. 18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/Wikibase 18:35 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/Wikibase I'll add into gerrit too.
I can confirm this is fixed live.
Verified in Wikidata demo time
This was assigned CVE-2013-4307