This tag is used to group security bugs by their general classification. These bugs allow an attacker to run JavaScript in another user's browser (Cross-site Scripting / XSS). See OWASP Top 10 2017 - A7
Parent project: Security-Team
This tag is used to group security bugs by their general classification. These bugs allow an attacker to run JavaScript in another user's browser (Cross-site Scripting / XSS). See OWASP Top 10 2017 - A7
Parent project: Security-Team
We also need a patch to phan-taint-check to make sure the bew keynane is marked as xss risk.
Change #1055600 merged by jenkins-bot:
[mediawiki/core@master] Deprecate the 'help' key in form descriptors in favor of 'help-raw'
In T45646#10028555, @cscott wrote:Rather than convert the html to wikitext, one avenue here might be to pass the "raw html" through the sanitizer.
In T45646#10028555, @cscott wrote:
- A variant of this would be to add a new message: MediaWiki:CopyrightWikitext. If that message is non-empty, it is used in place of MediaWiki:Copyright and rendered from wikitext. (Or vice-versa, maybe we'd want to use MediaWiki:CopyrightWikitext only if MediaWiki:Copyright was empty?) That would also allow wiki-by-wiki conversions so that only those wikis which actually need raw html use it.
In T45646#10028555, @cscott wrote:
- We could also make a site-wide configuration variable for "copyright is raw html", and default it to false, and set it to true only for german wikipedia.
In T45646#10028555, @cscott wrote:
- We could also make a site-wide configuration variable for "copyright is raw html", and default it to false, and set it to true only for german wikipedia. That would allow us to incrementally improve our security footing without necessarily breaking german wiki or third parties which might rely on this.
Two ideas for making progress on this:
In T336556#10016164, @Bawolff wrote:Can this be public? It sounds like these issues were fixed, and in any case, the graph extension is dead at this point.
Can this be public? It sounds like these issues were fixed, and in any case, the graph extension is dead at this point.
Change #1055600 had a related patch set uploaded (by Alejandro Alcaide; author: Alejandro Alcaide):
[mediawiki/core@master] Deprecate the 'help' key in form descriptors in favor of 'help-raw'
@GauriGupta: Please always go to the code project listed under "Tags" in the sidebar of a task, that page links the code repository.
In T356971#9969736, @GauriGupta wrote:@AllUsernamesArePicked Can you plz share me the repo for this issue as i am new to this community answer i want to to contribute eagerly
HTMLForm is part of MediaWiki core.
@AllUsernamesArePicked Can you plz share me the repo for this issue as i am new to this community answer i want to to contribute eagerly
A pull request for this patch has been submitted on github: https://github.com/lingua-libre/BlueLL/pull/18
Change #1051769 merged by jenkins-bot:
[mediawiki/skins/GuMaxDD@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar
Change #1051771 merged by jenkins-bot:
[mediawiki/skins/GuMaxDD@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar
Change #1051773 merged by jenkins-bot:
[mediawiki/skins/Nimbus@REL1_42] [SECURITY] Avoid stored XSS via MediaWiki:Nimbus-sidebar
Change #1051774 merged by jenkins-bot:
[mediawiki/skins/Nimbus@REL1_41] [SECURITY] Avoid stored XSS via MediaWiki:Nimbus-sidebar
Change #1051776 merged by jenkins-bot:
[mediawiki/skins/Tempo@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar
Change #1051778 merged by jenkins-bot:
[mediawiki/skins/Tempo@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar
Change #1051770 abandoned by Umherirrender:
[mediawiki/skins/GuMaxDD@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar
Reason:
REL1_40 is end of life
Change #1051775 abandoned by Umherirrender:
[mediawiki/skins/Nimbus@REL1_40] [SECURITY] Avoid stored XSS via MediaWiki:Nimbus-sidebar
Reason:
REL1_40 is end of life
Change #1051777 abandoned by Umherirrender:
[mediawiki/skins/Tempo@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar
Reason:
REL1_40 is end of life
That makes sense.
In T361452#9686743, @Samwilson wrote:Also, why is escapeIdForAttribute() "not guaranteed to be HTML safe"? What other ID attribute is it intended for, that needs to be able to contain angle brackets etc.? Is it because some XML dialects permit more characters in IDs than HTML does? It looks like a bunch of skins are doing similar things to Foreground here, so it does seem a confusingly named function.
Change #1051779 merged by jenkins-bot:
[mediawiki/skins/Foreground@REL1_41] Escape id attribute in sidebar headers
Change #1051779 had a related patch set uploaded (by Mmartorana; author: Samwilson):
[mediawiki/skins/Foreground@REL1_41] Escape id attribute in sidebar headers
Change #1051778 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):
[mediawiki/skins/Tempo@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar
Change #1051777 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):
[mediawiki/skins/Tempo@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar