On Mon, 23 Jan 2012 14:45:14 -0800, Neil Kandalgaonkar
<neilk(a)wikimedia.org> wrote:
On Mon, Jan
16, 2012 at 7:22 PM, Jeroen De
Dauw<jeroendedauw(a)gmail.com> wrote:
> Do we trust that messages do not have evil (XSS) stuff in them?
MediaWiki will sanitize tags it does not recognize. Unless you find a
flaw in the sanitizer, you can't put a working <script> in a message
string.
There are numerous places where wfMsg is used directly and dropped right
into html. It's something we'd love to eventually kill. But yes, there are
messages you can put a <script> into and have it executed.
On 1/22/12 10:26 PM, Roan Kattouw wrote:
jQueryMsg doesn't really do this very well
just yet, that's an issue
with jQueryMsg.
It already does escaping, it just trusts jQuery to do it. So a string
that doesn't "look" like HTML is already escaped just fine. But if it
does look like HTML, for convenience' sake, it gets turned into jQuery.
Since it's a frontend library, we have a lot less to worry about. The
one case I see is when we have non-sanitized, user-contributed data,
that we got from the server, used in HTML parameters. Like, someone
saying their first name is '<script
src="evil.js"></script>'.
The whole point of the library is to allow you to pass in jQuery objects
into a message. But, we could make that safer:
1 - Right now, the library allows you to pass HTML in a string, as a
convenience. We could instead make it that all strings are assumed to be
Just Strings, and escape them on the way in. So you couldn't use
'<b>foo</b>' as a parameter, you'd have to declare your intention
that
it should be HTML by passing a real jQuery object. This may break old
code in a few places, but not many.
2 - We could ensure that the message library never emits scripts, by
applying a simple jQuery filter to the final result.
Don't delude yourself into
thinking that you can easily blacklist the
elements that would run a script.
http://ha.ckers.org/xss.html
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://daniel.friesen.name]