---------- Forwarded message ----------
From: Brian Wolff <bawolff(a)gmail.com>
Date: Tue, Jan 31, 2017 at 4:02 PM
Subject: [Wikitech-l] Proposal: Make $wgRawHTML not apply to system messages
To: wikitech-l <wikitech-l(a)lists.wikimedia.org>
Most of the time we assume that writing code like:
wfMessage( 'foo' )->params( $this->getRequest()->getVal( 'bar'
) )->parse();
is totally safe. However, in a wiki with $wgRawHTML = true; this code
would be an XSS. I've looked through core, and couldn't find any
examples of using unsanitized url parameters as a message parameter in
a parsed message, however it seems to me like this sort of thing is an
accident waiting to happen.
I would like to propose that $wgRawHTML only apply to actual pages.
The <html> parser tag should not be active in wfMessage() or other
parser contexts. I don't think this would break anything, but I'd like
feedback on if anyone could think of anything this could break.
For more information see
https://phabricator.wikimedia.org/T156184 .
Please post any feedback about this idea on that bug.
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l