Am 16.09.2011 01:12, schrieb Daniel Friesen:
Looking over an extension that was already badly coded, I realized there's yet another type of injection vulnerability we have to consider when coding. CSS injection vulnerabilities.
Normally MediaWiki sanitizes any style="" tag created by user input. Things like background-image's are stripped out. They can be used to track users, as a type of spam, and if you're hitting IE users it's possible you could do even more using a htc file. Oh right, and of course there's the lovely ie expression(...) which allows raw JavaScript to be injected right into css.
Daniel,
please can you add the essentials of your important information regarding CSS injection vulnerabilities via extensions to the relevant pages in the MediaWiki Developer's Guide
http://www.mediawiki.org/wiki/MDG
I guess, your information should be added to some pages in section Security and some pages in section Extensions, SpecialPages, hooks & Co.,
Tom