[Mediawiki-l] Question about recursiveTagParse()

Tim Starling tstarling at wikimedia.org
Mon Jun 14 01:22:18 UTC 2010

On 14/06/10 10:40, Vadtec wrote:
> Greetings all,
> I'm not sure if this is the right mailing list to be posting this question to,
> so if I should be posting to mediawiki-api, please let me know. (I think I'm in
> the right spot though.)
> I have a question about recursiveTagParse(). Is it XSS safe? As in, do I need to
> escape its output with htmlspecialchars() or does it take care of that for me?
> I am writing a tag extension, and I need it to be able to parse wiki text. I
> have followed the instructions at
> http://www.mediawiki.org/wiki/Manual:Tag_extensions#Version_1.8_to_version_1.15
> (I am running MW 1.15.4), but it doesn't specify if the output is XSS safe or not.
> Erring on the side of caution, I have pre-escaped all of my user supplied
> variables with htmlspecialchars(), but if I could avoid this step it would be
> wonderful, both for the simplicity of coding and performance.

Yes it's safe, as long as there are no unsafe extensions, $wgRawHtml
is false, and you have the latest version of MediaWiki. Or to put it
another way, if there was an XSS vulnerability in it, there would be
one in the ordinary editing interface too.

Note that wikitext markup is allowed, so it's often best to call
wfEscapeWikiText() on user input that you pass to recursiveTagParse()
to avoid unintended formatting.

The output of a tag hook is HTML and needs to be escaped. For example

return "<div class=\"$args['class']\">" .
   $parser->recursiveTagParse( $args['text'] ) . "</div>";

is an XSS vulnerability. But this:

return Xml::openElement( 'div', array( 'class' => $args['class'] ) ) .
    $parser->recursiveTagParse( $args['text'] ) . "</div>";

is not.

-- Tim Starling

More information about the MediaWiki-l mailing list