Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes
History
C. Scott Ananian 5f21cc528e SECURITY: Sanitize data- attributes 
CVE-2025-61638

Previously, if you managed to get data- attributes with e.g spaces or
slashes in the name into validateAttributes(), then the rest of the
attribute name would not be validated and get concatenated into HTML
that would eventually be parsed as separate attributes (or even tag
contents and new markup, if you had a > in the name). I don’t think this
was possible via regular <p> parsing, as decodeTagAttributes() would
decode the attributes differently in that case, but it was possible via
various wikitext constructs, including {{#tag:}}.

Tighten the regex to throw out such invalid attributes, and add a few
tests in this direction. More refactoring, and especially more tests,
can happen later, once this chaneg is public and we can benefit from CI.

Bug: T401099
Change-Id: Id095a3278083dbedba083d5aa3c1cbaa379a682f
Co-Authored-By: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
2025-10-02 19:21:42 +00:00
..
actions Apply proper restrictions on file revert action 2025-03-24 12:55:44 +00:00
api Localisation updates from https://translatewiki.net. 2025-09-30 07:35:33 +02:00
auth SECURITY: Allow extensions to supress the reauth flag on login 2025-06-30 19:58:42 +01:00
block block: Fix DBS::acquireTarget() race using GET_LOCK() 2025-04-07 11:43:34 +00:00
cache Cache: Move MessageCache hook interfaces into correct folder 2025-07-02 00:34:15 +01:00
Category Remove meaningless @var documentation from constants 2024-10-09 09:33:12 +02:00
changetags ChangeTags: Optimize label and description parsing 2025-04-03 18:24:46 +01:00
collation Use namespaced classes 2024-10-21 20:41:20 +02:00
CommentFormatter Don't use RequestContext in CommentParserFactory construction 2025-08-19 13:01:22 +00:00
CommentStore Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
composer In .htaccess deny files, use "Satisfy All" 2025-04-04 13:17:15 +00:00
config
content Make Content JsonCodecable 2025-09-05 16:12:09 -04:00
context Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
dao
db Merge "CloneDatabase: Remove debug logging" 2024-10-17 23:38:11 +00:00
debug logger: Make log() methods return void 2025-06-18 02:21:42 +00:00
deferred Fix GREATEST usage in site_stats 2025-03-20 15:48:17 +00:00
diff diff: Avoid Phan warning with some Wikidiff2 versions 2025-07-25 17:18:53 +00:00
edit Use JsonCodec to serialize SelserContext 2025-09-10 14:08:31 -04:00
editpage PermissionManager: Differentiate between cascading protection of file content and file pages 2025-03-24 13:31:34 +00:00
exception exception: Skip use of HookRunner when not autoloaded 2025-06-28 20:17:53 +00:00
export Use namespaced classes 2024-10-21 20:41:20 +02:00
ExternalLinks ExternalLinks: fix mailto: links reversal 2025-02-28 16:33:54 +00:00
externalstore Use namespaced classes 2024-10-21 20:41:20 +02:00
Feed SECURITY: Escape newpage message in FeedUtils 2025-04-17 19:13:20 +00:00
filebackend filebackend: Check for old alias in FileBackendMultiWrite 2024-10-22 01:32:54 +02:00
filerepo filerepo: Improve identification of ForeignAPIRepo requests 2025-08-18 21:02:23 +00:00
gallery Use namespaced classes 2024-10-21 20:41:20 +02:00
historyblob
Hook
HookContainer WhatLinksHere: Allow extensible filters 2024-10-21 14:27:53 +05:30
Html Use Remex/HtmlHelper to implement Parser::replaceTableOfContents 2025-09-29 22:01:08 +00:00
htmlform SECURITY: Escape rawElement $content 2025-10-02 19:18:18 +00:00
http Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
import Drop PHP 7.4/8.0 support from master (forward-port from MW 1.42) 2025-06-18 10:53:22 +01:00
installer COPYING: Do not reference old FSF postal address 2025-10-02 09:32:10 +00:00
interwiki Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
jobqueue RefreshLinksJob: Check hastext before comparing HTML 2025-06-25 08:21:23 +00:00
json Use JsonCodec to serialize SelserContext 2025-09-10 14:08:31 -04:00
language Cache: Move MessageCache hook interfaces into correct folder 2025-07-02 00:34:15 +01:00
languages Add Central Kanuri (knc), deprecate Kanuri (kr) 2024-10-20 19:18:46 +00:00
libs Localisation updates from https://translatewiki.net. 2025-09-30 07:35:33 +02:00
linkeddata
linker Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
logging SECURITY: Fix log entry search revealing suppressed data to users with 'deletedhistory' rights 2025-04-10 15:56:06 +01:00
mail Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
media Metadata: ignore LocationCreated, similar to LocationShown 2025-09-29 16:47:32 +00:00
Message SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 2025-04-10 15:56:06 +01:00
Navigation
objectcache objectcache: Cast explicitly to integer 2025-05-12 11:24:42 +00:00
Output Skin: [BREAKING CHANGE] Remove support for rendering outside body element 2024-10-30 15:18:51 +00:00
OutputTransform Re-apply "Use Remex for DeduplicateStyles transform" 2025-09-29 22:01:15 +00:00
page ImagePage: Remove PNG previews line for native SVG rendering 2025-07-31 21:51:22 +00:00
pager ContributionsPager: Fix getTemplateParams() parameter 2024-10-25 13:52:47 +00:00
ParamValidator/TypeDef
parser SECURITY: Sanitize data- attributes 2025-10-02 19:21:42 +00:00
password Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
Permissions PermissionManager: Fix missingPermissionError() not returning early when $short is true. 2025-07-18 20:07:08 +00:00
poolcounter objectcache: Move RedisConnRef.php to /libs/objectcache/ 2024-11-07 08:40:54 +00:00
preferences Add explanation text for "Allow emails from brand-new users" 2025-02-21 22:34:44 +00:00
profiler Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
recentchanges objectcache: Move RedisConnRef.php to /libs/objectcache/ 2024-11-07 08:40:54 +00:00
registration Remove meaningless @var documentation from constants 2024-10-09 09:33:12 +02:00
RenameUser
Request Request: Improve log message when headers already sent 2025-03-10 15:12:31 +00:00
ResourceLoader Drop a few phan PhanImpossibleTypeComparison suppressions now we've dropped PHP 7.4 2025-06-18 10:54:01 +01:00
Rest SECURITY: REST: Set cache-control value of max-age=60 for redirects 2025-10-02 11:12:19 +01:00
Revision Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
revisiondelete RevDelList: Ensure setVisibility always includes itemStatuses in value if applicable 2025-03-08 01:53:49 +00:00
revisionlist
search rdbms: fix table prefixing in "FOR UPDATE" clause generation in Postgres 2025-06-24 22:33:30 +01:00
session session: Do not set session.use_trans_sid 2025-01-06 22:12:05 +00:00
Settings Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
shell FileRepo: Add support for the new Shellbox large file feature 2024-10-29 02:50:07 +00:00
site
SiteStats
skins Merge "Hard deprecate soft deprecated skin methods" into REL1_43 2024-11-13 00:27:38 +00:00
sparql
specialpage DeletedContribsPager: Use the UserIdentity object instead of the raw target string 2025-09-14 09:47:56 +08:00
specials DeletedContribsPager: Use the UserIdentity object instead of the raw target string 2025-09-14 09:47:56 +08:00
Status Make Message and MessageValue compatible 2024-10-19 15:00:07 +02:00
Storage Merge "Use explicit nullable type on parameter arguments" 2024-10-16 23:10:14 +00:00
StubObject
templates img_auth: Output lang and dir in HTTP and HTML on error message 2024-10-29 15:18:52 +00:00
tidy SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 2025-04-10 15:56:06 +01:00
title title: Reset cached Title objects between tests 2025-05-27 12:35:10 +00:00
upload UploadBase: makeWarningsSerializable() should accept MessageParam objects 2025-04-12 22:40:51 +00:00
user SECURITY: fix IP leak to unverified email 2025-06-30 19:58:26 +01:00
utils structure tests: allow PHP 8.1 syntax and autoload enums 2025-06-18 10:55:15 +01:00
watchlist Merge "Use explicit nullable type on parameter arguments" 2024-10-16 23:10:14 +00:00
widget widget: Remove outdated try/catch wrapper from SpinnerWidget 2025-06-14 10:42:05 +00:00
WikiMap Merge "Fix typos in WikiMap doc comments" 2024-10-10 18:30:09 +00:00
xml Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
.htaccess In .htaccess deny files, use "Satisfy All" 2025-04-04 13:17:15 +00:00
AutoLoader.php autoload: Expand Autoloader::CORE_NAMESPACES 2025-07-07 16:53:04 +00:00
BootstrapHelperFunctions.php
config-schema.php config: Change Reauthenticate Time Default 2025-08-20 21:56:57 +00:00
DefaultSettings.php
Defines.php Prepare 1.43.3 2025-07-01 14:47:09 +01:00
DevelopmentSettings.php Tests: Split log files by parallel grouping 2024-10-10 12:47:00 +00:00
EntryPointEnvironment.php
GlobalFunctions.php Deprecate wfArrayDiff2() 2024-11-04 19:34:41 +00:00
MainConfigNames.php [REST Sandbox] Remove SwaggerUI from MediaWiki Releases 2025-06-30 16:05:49 +01:00
MainConfigSchema.php config: Change Reauthenticate Time Default 2025-08-20 21:56:57 +00:00
MediaWiki.php
MediaWikiEntryPoint.php
MediaWikiServices.php Make Content JsonCodecable 2025-09-05 16:12:09 -04:00
PHPVersionCheck.php structure tests: allow PHP 8.1 syntax and autoload enums 2025-06-18 10:55:15 +01:00
ServiceWiring.php Use JsonCodec to serialize SelserContext 2025-09-10 14:08:31 -04:00
Setup.php Setup: Update error message for composer dependencies check 2025-06-13 20:54:40 +00:00
SetupDynamicConfig.php Switch over a bunch of class_alias uses to actuals 2024-10-03 17:09:36 +00:00
WebStart.php