On Mon, 23 Jan 2012 14:45:14 -0800, Neil Kandalgaonkar neilk@wikimedia.org wrote:
On Mon, Jan 16, 2012 at 7:22 PM, Jeroen De Dauwjeroendedauw@gmail.com wrote:
Do we trust that messages do not have evil (XSS) stuff in them?
MediaWiki will sanitize tags it does not recognize. Unless you find a flaw in the sanitizer, you can't put a working <script> in a message string.
There are numerous places where wfMsg is used directly and dropped right into html. It's something we'd love to eventually kill. But yes, there are messages you can put a <script> into and have it executed.
On 1/22/12 10:26 PM, Roan Kattouw wrote:
jQueryMsg doesn't really do this very well just yet, that's an issue with jQueryMsg.
It already does escaping, it just trusts jQuery to do it. So a string that doesn't "look" like HTML is already escaped just fine. But if it does look like HTML, for convenience' sake, it gets turned into jQuery.
Since it's a frontend library, we have a lot less to worry about. The one case I see is when we have non-sanitized, user-contributed data, that we got from the server, used in HTML parameters. Like, someone saying their first name is '<script src="evil.js"></script>'.
The whole point of the library is to allow you to pass in jQuery objects into a message. But, we could make that safer:
1 - Right now, the library allows you to pass HTML in a string, as a convenience. We could instead make it that all strings are assumed to be Just Strings, and escape them on the way in. So you couldn't use '<b>foo</b>' as a parameter, you'd have to declare your intention that it should be HTML by passing a real jQuery object. This may break old code in a few places, but not many.
2 - We could ensure that the message library never emits scripts, by applying a simple jQuery filter to the final result.
Don't delude yourself into thinking that you can easily blacklist the elements that would run a script. http://ha.ckers.org/xss.html