Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SECURITY: Sanitize data- attributes

Browse source 
CVE-2025-61638

Previously, if you managed to get data- attributes with e.g spaces or
slashes in the name into validateAttributes(), then the rest of the
attribute name would not be validated and get concatenated into HTML
that would eventually be parsed as separate attributes (or even tag
contents and new markup, if you had a > in the name). I don’t think this
was possible via regular <p> parsing, as decodeTagAttributes() would
decode the attributes differently in that case, but it was possible via
various wikitext constructs, including {{#tag:}}.

Tighten the regex to throw out such invalid attributes, and add a few
tests in this direction. More refactoring, and especially more tests,
can happen later, once this chaneg is public and we can benefit from CI.

Bug: T401099
Change-Id: Id095a3278083dbedba083d5aa3c1cbaa379a682f
Co-Authored-By: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
This commit is contained in:
C. Scott Ananian 2025-08-04 16:43:00 +02:00 committed by Reedy
parent 37cc73d931
commit 5f21cc528e
2 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
includes/parser/Sanitizer.php
View file

@ -512,8 +512,11 @@ class Sanitizer {
# * Disallow data attributes used by MediaWiki code
# * Ensure that the attribute is not namespaced by banning
# colons.
# * Ensure attribute name will be accepted by the HTML
# parser; see
# https://github.com/whatwg/dom/issues/849#issuecomment-1007541209
if ( (
!preg_match( '/^data-[^:]*$/i', $attribute ) &&
!preg_match( '|^data-[^:= \t\r\n/>\0]*$|i', $attribute ) &&
!array_key_exists( $attribute, $allowed )
) || self::isReservedDataAttribute( $attribute ) ) {
continue;

21
tests/phpunit/includes/parser/SanitizerTest.php
View file

@ -170,6 +170,27 @@ class SanitizerTest extends MediaWikiIntegrationTestCase {
[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],
[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],
],
[ 'div',
[
'data-wikitext' => 'wikitext',
'DATA-WIKITEXT-2' => 'WIKITEXT-2',
'data-wikitext-ij' => 'wikitext-IJ',
'data-mw' => 'disallow impersonating parsoid',
'DATA-mw' => 'disallow impersonating PARSOID',
'data-mw-extension' => 'disallow impersonating extension',
'data-:namespaced' => 'disallow namespace',
'data- invalid' => 'disallow XSS',
'data-/invalid' => 'disallow XSS',
'data->invalid' => 'disallow XSS',
'data-=invalid' => 'disallow XSS',
],
[
'data-wikitext' => 'wikitext',
'DATA-WIKITEXT-2' => 'WIKITEXT-2',
'data-wikitext-ij' => 'wikitext-IJ',
# other attributes removed
]
],
];
}