Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SECURITY: escape section labels in HTMLMultiSelectField

Browse source 
CVE-2025-3469

Only use HtmlSnippet when the labels are not coming from a message, to
avoid XSS-via-i18n vulnerabilities.

Bug: T358689
Change-Id: If91500bc76b3ed8cdc58da4f9de326df6d201398
This commit is contained in:
Daimona Eaytoy 2025-02-13 16:07:49 +01:00 committed by Reedy
parent 94f193a894
commit 449e0ed49d
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
includes/htmlform/fields/HTMLMultiSelectField.php
View file

@ -230,10 +230,13 @@ class HTMLMultiSelectField extends HTMLFormField implements HTMLNestedFilterable
$widget = new \OOUI\CheckboxMultiselectInputWidget( $attr );
if ( $sectionLabel ) {
if ( $this->mOptionsLabelsNotFromMessage ) {
// @phan-suppress-next-line SecurityCheck-XSS Can't track conditional escaping via a property
$sectionLabel = new \OOUI\HtmlSnippet( $sectionLabel );
}
$out[] = new \OOUI\FieldsetLayout( [
'items' => [ $widget ],
// @phan-suppress-next-line SecurityCheck-XSS Key is html, taint cannot track that
'label' => new \OOUI\HtmlSnippet( $sectionLabel ),
'label' => $sectionLabel,
] );
} else {
$out[] = $widget;