From 5a8be1a8f9886a7cc7211b1abb2d374668b5a867 Mon Sep 17 00:00:00 2001
From: "Mr. Stradivarius" <misterstrad@gmail.com>
Date: Sat, 8 Jan 2022 07:36:42 +0900
Subject: [PATCH] Fix XSS vulnerability in config URL

Escape the configFullPath variable so that a second title parameter
cannot be injected into the config URL before it is passed to
jQuery.getScript.
---
 MediaWiki:Gadget-formWizard-core.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MediaWiki:Gadget-formWizard-core.js b/MediaWiki:Gadget-formWizard-core.js
index 478e858..6164fb4 100644
--- a/MediaWiki:Gadget-formWizard-core.js
+++ b/MediaWiki:Gadget-formWizard-core.js
@@ -972,7 +972,7 @@ $(function() {
 				$('#formsDialogExpand .loading').show();
 				
 				var configFullPath = utility.configPath+'/'+formsGadgetNamespace+'/'+formsGadgetType;
-				var configUrl = '//en.wikipedia.org/w/index.php?title='+configFullPath+'&action=raw&ctype=text/javascript';
+				var configUrl = '//en.wikipedia.org/w/index.php?title='+encodeURIComponent(configFullPath)+'&action=raw&ctype=text/javascript';
 				//Get the config for the language above
 				$.when(jQuery.getScript(configUrl)).then(function(){
 					var config = utility.stripWhiteSpace(formsGadgetConfig[formsGadgetMode]);
-- 
2.25.1