Last modified: 2006-07-07 05:01:02 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 6577 - Limited HTML attribute injection in 1.7 rc
Limited HTML attribute injection in 1.7 rc
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2006-07-07 01:40 UTC by Nick Jenkins
Modified: 2006-07-07 05:01 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Nick Jenkins 2006-07-07 01:40:42 UTC
Doing a fuzz stress test of 1.7 rc, found one limited HTML attribute injection:
**#***; <pre dir=mailto:,,,,fffffff}}__TOC__||[[x|y]]&#x22;&#x0A;-------<cite>

HTML result:
<ul><li><ul><li><ol><li><ul><li><ul><li><ul><li><dl><dt> <pre

(i.e. the </dt>, </dl>, </li>, </ul>, </ol>, <p> tags are injected). Also
generates a Tidy error.

P.s. My gut suspicion is that we're approaching the last of the injectable stuff
using the Parser.
Comment 1 Brion Vibber 2006-07-07 04:47:59 UTC
Fixed at r15399 on trunk, r15400 on REL1_7 branch.

Shouldn't affect 1.6, if I understand the issue properly. 
(Though extensions could have similar problems.)
Comment 2 Nick Jenkins 2006-07-07 05:01:02 UTC
Thank you!

Note You need to log in before you can comment on or make changes to this bug.