[Mediawiki-l] Question about recursiveTagParse()

Vadtec vadtec at vadtec.net
Mon Jun 14 01:57:14 UTC 2010


On 6/13/2010 8:22 PM, Tim Starling wrote:
> On 14/06/10 10:40, Vadtec wrote:
> Yes it's safe, as long as there are no unsafe extensions, $wgRawHtml
> is false, and you have the latest version of MediaWiki. Or to put it
> another way, if there was an XSS vulnerability in it, there would be
> one in the ordinary editing interface too.
> 
> Note that wikitext markup is allowed, so it's often best to call
> wfEscapeWikiText() on user input that you pass to recursiveTagParse()
> to avoid unintended formatting.
> 
> The output of a tag hook is HTML and needs to be escaped. For example
> this:
> 
> return "<div class=\"$args['class']\">" .
>    $parser->recursiveTagParse( $args['text'] ) . "</div>";
> 
> is an XSS vulnerability. But this:
> 
> return Xml::openElement( 'div', array( 'class' => $args['class'] ) ) .
>     $parser->recursiveTagParse( $args['text'] ) . "</div>";
> 
> is not.
> 
> -- Tim Starling

So I should be ok doing:

return $parser->recursiveTagParse( htmlspecialchars($text) );

Thanks for the info. I figured it wasn't XSS safe, thus I erred on the side of
caution.

- Vadtec

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20100613/6ea48076/attachment.pgp 


More information about the MediaWiki-l mailing list