Jump to content

User talk:Secundinogarcia

Add topic
From mediawiki.org
Latest comment: 14 years ago by Secundinogarcia in topic your extension

your extension

[edit]

Hi. Just a heads up your extension (Extension:Document UNCified) has a security vulnrability in it (specificly XSS). For example try:

<document_unc>' onmouseover='alert("This could alternatively load an arbitrary script, vandalize pages/pretty much do anything")' '</script></document_unc>

Then when you mouseover the link arbitrary js is executed. This is bad (but probably not too hard to fix). Cheers. Bawolff 22:19, 23 October 2010 (UTC)Reply


Using Regular Expressions in the function that returns the URI to use, I delete all HTML events inserted for the user on the tag. The example that you give me was very useful, thanx. --Secundinogarcia 23:57, 26 October 2010 (UTC)Reply

That does fix the problem, but your extension still doesn't handle single quotes properly (For example in certain cases like <document_unc>'</document_unc> it will output invalid html). A good fix for that might be to use ENT_QUOTES instead of ENT_COMPAT as the second argument to htmlentities function (This causes single quotes to be escaped in addition to double quotes). Alternatively when creating your html strings, you can quote the attributes with double quotes which will avoid the issue (Aka $myHtml = '<a href="' . $url . '">' instead of $myHtml = "<a href='" . $url . "'>" will avoid the problem even when using htmlentities in ENT_COMPAT mode. A third approach you can try is using mediawiki's builtin html/Xml creating classes - http://svn.wikimedia.org/doc/classXml.html but they take a while to get used to). If you're not familiar with these types of security issues, you might want to read through Security for developers, which explains the various issues and how to avoid pitfalls. Cheers. Bawolff 01:20, 27 October 2010 (UTC)Reply

ok!

  1. Change on htmlentities -> Done!
  2. Change of quote with double quotes -> Done!
  3. Approach of mediawiki's builtin html/Xml creating classes -> on process...

Thanks again!.
--Secundinogarcia 14:08, 27 October 2010 (UTC)Reply