On Mon, Jan 16, 2012 at 7:22 PM, Jeroen De Dauwjeroendedauw@gmail.com wrote:
Do we trust that messages do not have evil (XSS) stuff in them?
MediaWiki will sanitize tags it does not recognize. Unless you find a flaw in the sanitizer, you can't put a working <script> in a message string.
On 1/22/12 10:26 PM, Roan Kattouw wrote:
jQueryMsg doesn't really do this very well just yet, that's an issue with jQueryMsg.
It already does escaping, it just trusts jQuery to do it. So a string that doesn't "look" like HTML is already escaped just fine. But if it does look like HTML, for convenience' sake, it gets turned into jQuery.
Since it's a frontend library, we have a lot less to worry about. The one case I see is when we have non-sanitized, user-contributed data, that we got from the server, used in HTML parameters. Like, someone saying their first name is '<script src="evil.js"></script>'.
The whole point of the library is to allow you to pass in jQuery objects into a message. But, we could make that safer:
1 - Right now, the library allows you to pass HTML in a string, as a convenience. We could instead make it that all strings are assumed to be Just Strings, and escape them on the way in. So you couldn't use '<b>foo</b>' as a parameter, you'd have to declare your intention that it should be HTML by passing a real jQuery object. This may break old code in a few places, but not many.
2 - We could ensure that the message library never emits scripts, by applying a simple jQuery filter to the final result.