Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T17392, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 15392 - Use $wgUrlProtocols API protocol whitelist

Summary:	Use $wgUrlProtocols API protocol whitelist

Status: RESOLVED FIXED Product: MediaWiki Classification: Unclassified Component: API (Other open bugs) Version: 1.14.x Hardware: All All Importance: Normal enhancement (vote) Target Milestone: --- Assigned To: Roan Kattouw URL: Whiteboard: Keywords: Depends on: Blocks:   Show dependency tree / graph		Reported: 2008-08-31 14:29 UTC by Platonides Modified: 2008-08-31 17:11 UTC (History) CC List: 2 users (show) Bryan.TongMinh vasilvv See Also: Web browser: --- Mobile Platform: --- Assignee Huggle Beta Tester: ---

Attachments Patch using $wgUrlProtocols in the API (1.08 KB, patch) 2008-08-31 14:29 UTC, Platonides Details Add an attachment (proposed patch, testcase, etc.)

Description Platonides 2008-08-31 14:29:52 UTC Created attachment 5232 [details] Patch using $wgUrlProtocols in the API formatHTML() uses a protocol whitelist to avoid protocol injections (such as javascript:, see r17105). However, this list is arbitrary. It should be detecting the same protocols accepted into the wiki ie. $wgUrlProtocols Comment 1 Bryan Tong Minh 2008-08-31 16:52:45 UTC Why was ://.*? replaced by .*? in preg_replace? Comment 2 Platonides 2008-08-31 17:01:04 UTC Because $wgUrlProtocols already contains the :// for the which need it (it also has protocols, such as mailto: which don't have slashes, i think supporting them is also ok). Comment 3 Bryan Tong Minh 2008-08-31 17:11:59 UTC Patch committed in r40278.