Last modified: 2013-04-16 08:53:11 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T19600, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 17600 - Toolbar: User input to UniWiki toolbar injected into javascript without being sanitized -- possible XSS vector.
Toolbar: User input to UniWiki toolbar injected into javascript without being...
Status: RESOLVED WONTFIX
Product: MediaWiki extensions
Classification: Unclassified
Uniwiki (Other open bugs)
unspecified
All All
: Low major (vote)
: ---
Assigned To: Nobody - You can work on this!
extension[unmaintained]
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-21 19:28 UTC by Robert Leverington
Modified: 2013-04-16 08:53 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Robert Leverington 2009-02-21 19:28:16 UTC 
In various places within the Uniwiki Custom Toolbar extension, user-supplied text (either from within pages, messages, or POST\GET data) is injected in to JavaScript without sanitization - this poses a possible security vulnerability and would likely cause the extension to malfunction if a quotation mark were included in any of the pieces of text.

The following lines in CustomToolbar.php are possibly affected: 152, 159, 166, 331, 332, and 333.
Comment 1 Andrew Garrett 2009-04-07 15:19:37 UTC 
Clarified bug summary so I don't get scared when I see it.
Comment 2 Andre Klapper 2013-04-16 08:53:11 UTC 
According to one of its developer (Mark), Uniwiki extensions for MediaWiki are not under active development anymore "and it is safe to declare them obsolete/wontfix."

It is unlikely that there will be any further active development.

Closing this report as WONTFIX as part of Bugzilla Housekeeping and adding the whitespace entry "extension[unmaintained]". Please feel free to reopen this bug report in the future if anyone takes the responsibility for active development again.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links