Extension talk:Progressbar

Added a fix to escape $text. Can somebody please review it? ~Rohit
I found another place in your code that could be used for XSS. It came to me by way of the extension I wrote based on your code. You need to escape the "background color" parameter. - Vadtec 14:00, 13 June 2010 (CST)

Fixed. Thanks! ~Rohit

How can I assign the value of NUMBEROFARTICLES to the current value? Any help will be appreciated! Thanks for the great extention! --Swessels 14:30, 14 June 2010 (UTC)Reply

I am not sure I understand what you want. ~ Rohit

Hi, I submitted bug 30917 to bugzilla with a patch suggestion for an apache warning I received. Regards, Bill.

I don't see how anyone could consider XSS fixed in this extension. There are still parameters being outputted directly into raw html. This extension isn't fixed until either every single spot where a variable is concatenated with html is escaped directly in place by a htmlspecialchars, or it makes use of our much more elegant Html building class.

Also, a new type of vulnerability I just thought up that this is vulnerable to, a CSS injection vulnerability. Even if this is all html escaped because it builds a style tag in raw html this can be used to bypass our style="" tag filters and insert a background-image that we would normally reject. The most dangerous type of that is of course IE's htc files. Dantman 22:51, 15 September 2011 (UTC)Reply