From 9f9b8adf605a323181d52ae723fe47e5acfabea0 Mon Sep 17 00:00:00 2001 From: dylsss Date: Sat, 15 Jan 2022 19:12:27 +0000 Subject: [PATCH] SECURITY: Escape various messages in WikibaseMediaInfo Escaped various messages using mw.message.escaped() or Html::element instead of Html::rawElement to prevent XSS. Bug: T299289 Change-Id: If031d8715b946062c2ac840a457af379401adc87 --- resources/filepage/CaptionDataEditor.js | 8 ++++---- resources/filepage/CaptionsPanel.js | 2 +- resources/statements/inputs/TimeInputWidget.js | 6 +++--- src/WikibaseMediaInfoHooks.php | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/resources/filepage/CaptionDataEditor.js b/resources/filepage/CaptionDataEditor.js index 6742ed71..95c2855e 100644 --- a/resources/filepage/CaptionDataEditor.js +++ b/resources/filepage/CaptionDataEditor.js @@ -76,15 +76,15 @@ CaptionDataEditor = function ( guid, captionData, config ) { self.setInputWarning( '' ); if ( self.minCaptionLength !== undefined && self.minCaptionLength - length > 0 ) { - self.setInputError( mw.msg( + self.setInputError( mw.message( 'wikibasemediainfo-filepage-caption-too-short', self.minCaptionLength - length - ) ); + ).escaped() ); } else if ( self.maxCaptionLength !== undefined && length - self.maxCaptionLength > 0 ) { - self.setInputError( mw.msg( + self.setInputError( mw.message( 'wikibasemediainfo-filepage-caption-too-long', length - self.maxCaptionLength - ) ); + ).escaped() ); } } ) .always( function () { diff --git a/resources/filepage/CaptionsPanel.js b/resources/filepage/CaptionsPanel.js index 5caaa08f..2aa9b58f 100644 --- a/resources/filepage/CaptionsPanel.js +++ b/resources/filepage/CaptionsPanel.js @@ -343,7 +343,7 @@ CaptionsPanel.prototype.getTemplateDataReadOnly = function () { language = captionData.languageText; caption = captionData.text ? mw.html.escape( captionData.text ) : - mw.msg( 'wikibasemediainfo-filepage-caption-empty' ); + mw.message( 'wikibasemediainfo-filepage-caption-empty' ).escaped(); templateCaptions.push( { show: self.state.displayAllLanguages ? true : showCaptionFlags[ langCode ], diff --git a/resources/statements/inputs/TimeInputWidget.js b/resources/statements/inputs/TimeInputWidget.js index bf55c3bb..e003b883 100644 --- a/resources/statements/inputs/TimeInputWidget.js +++ b/resources/statements/inputs/TimeInputWidget.js @@ -111,8 +111,8 @@ TimeInputWidget.prototype.getTemplateData = function () { isQualifier: this.state.isQualifier, isActive: this.state.isActive, formatted: this.state.value === '' ? - mw.msg( 'wikibasemediainfo-time-timestamp-empty' ) : - mw.msg( 'wikibasemediainfo-time-timestamp-invalid' ), + mw.message( 'wikibasemediainfo-time-timestamp-empty' ).escaped() : + mw.message( 'wikibasemediainfo-time-timestamp-invalid' ).escaped(), input: this.input, precisionLabel: mw.msg( 'wikibasemediainfo-time-precision-label' ), calendarLabel: mw.msg( 'wikibasemediainfo-time-calendar-label' ), @@ -129,7 +129,7 @@ TimeInputWidget.prototype.getTemplateData = function () { var $formatted = $( '' ).addClass( 'wbmi-input-widget--formatted' ).text( formatted ); return $.extend( {}, data, { - formatted: mw.msg( 'wikibasemediainfo-time-timestamp-formatted', $formatted.get( 0 ).outerHTML ) + formatted: mw.message( 'wikibasemediainfo-time-timestamp-formatted', $formatted.get( 0 ).outerHTML ).escaped() } ); } ); }; diff --git a/src/WikibaseMediaInfoHooks.php b/src/WikibaseMediaInfoHooks.php index e7932ac5..400fa009 100644 --- a/src/WikibaseMediaInfoHooks.php +++ b/src/WikibaseMediaInfoHooks.php @@ -402,7 +402,7 @@ class WikibaseMediaInfoHooks { } // Add a title to statements for no-js - $statements = \Html::rawElement( + $statements = \Html::element( 'h2', [ 'class' => 'wbmi-structured-data-header' ], $textProvider->get( 'wikibasemediainfo-filepage-structured-data-heading' ) @@ -427,7 +427,7 @@ class WikibaseMediaInfoHooks { $extractedHtml['unstructured'] ); // Add a title for no-js - $tab1Html = \Html::rawElement( + $tab1Html = \Html::element( 'h2', [ 'class' => 'wbmi-captions-header' ], $textProvider->get( 'wikibasemediainfo-filepage-captions-title' ) -- 2.33.0.windows.2