On Mon, Jan 16, 2012 at 7:22 PM, Jeroen De
> Do we trust that messages do not have evil (XSS) stuff in them?
MediaWiki will sanitize tags it does not recognize. Unless you find a
flaw in the sanitizer, you can't put a working <script> in a message string.
On 1/22/12 10:26 PM, Roan Kattouw wrote:
jQueryMsg doesn't really do this very well just
yet, that's an issue
It already does escaping, it just trusts jQuery to do it. So a string
that doesn't "look" like HTML is already escaped just fine. But if it
does look like HTML, for convenience' sake, it gets turned into jQuery.
Since it's a frontend library, we have a lot less to worry about. The
one case I see is when we have non-sanitized, user-contributed data,
that we got from the server, used in HTML parameters. Like, someone
saying their first name is '<script
The whole point of the library is to allow you to pass in jQuery objects
into a message. But, we could make that safer:
1 - Right now, the library allows you to pass HTML in a string, as a
convenience. We could instead make it that all strings are assumed to be
Just Strings, and escape them on the way in. So you couldn't use
'<b>foo</b>' as a parameter, you'd have to declare your intention
it should be HTML by passing a real jQuery object. This may break old
code in a few places, but not many.
2 - We could ensure that the message library never emits scripts, by
applying a simple jQuery filter to the final result.
Neil Kandalgaonkar <neilk(a)wikimedia.org>