On 14/06/10 10:40, Vadtec wrote:
Greetings all,
I'm not sure if this is the right mailing list to be posting this question to, so if I should be posting to mediawiki-api, please let me know. (I think I'm in the right spot though.)
I have a question about recursiveTagParse(). Is it XSS safe? As in, do I need to escape its output with htmlspecialchars() or does it take care of that for me?
I am writing a tag extension, and I need it to be able to parse wiki text. I have followed the instructions at http://www.mediawiki.org/wiki/Manual:Tag_extensions#Version_1.8_to_version_1... (I am running MW 1.15.4), but it doesn't specify if the output is XSS safe or not.
Erring on the side of caution, I have pre-escaped all of my user supplied variables with htmlspecialchars(), but if I could avoid this step it would be wonderful, both for the simplicity of coding and performance.
Yes it's safe, as long as there are no unsafe extensions, $wgRawHtml is false, and you have the latest version of MediaWiki. Or to put it another way, if there was an XSS vulnerability in it, there would be one in the ordinary editing interface too.
Note that wikitext markup is allowed, so it's often best to call wfEscapeWikiText() on user input that you pass to recursiveTagParse() to avoid unintended formatting.
The output of a tag hook is HTML and needs to be escaped. For example this:
return "<div class="$args['class']">" . $parser->recursiveTagParse( $args['text'] ) . "</div>";
is an XSS vulnerability. But this:
return Xml::openElement( 'div', array( 'class' => $args['class'] ) ) . $parser->recursiveTagParse( $args['text'] ) . "</div>";
is not.
-- Tim Starling