---------- Forwarded message ---------- From: Brian Wolff bawolff@gmail.com Date: Tue, Jan 31, 2017 at 4:02 PM Subject: [Wikitech-l] Proposal: Make $wgRawHTML not apply to system messages To: wikitech-l wikitech-l@lists.wikimedia.org

Most of the time we assume that writing code like: wfMessage( 'foo' )->params( $this->getRequest()->getVal( 'bar' ) )->parse();

is totally safe. However, in a wiki with $wgRawHTML = true; this code would be an XSS. I've looked through core, and couldn't find any examples of using unsanitized url parameters as a message parameter in a parsed message, however it seems to me like this sort of thing is an accident waiting to happen.

I would like to propose that $wgRawHTML only apply to actual pages. The <html> parser tag should not be active in wfMessage() or other parser contexts. I don't think this would break anything, but I'd like feedback on if anyone could think of anything this could break.

For more information see https://phabricator.wikimedia.org/T156184 . Please post any feedback about this idea on that bug.

_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l