From aa9c71e9db6748877e6302baae6949af0fea723c Mon Sep 17 00:00:00 2001 From: Martin Urbanec Date: Tue, 17 Aug 2021 17:04:47 +0200 Subject: [PATCH] SECURITY: Fix XSS vulnerabilities in mentor dashboard Html::rawElement cannot be used together with the "text" mode of messages API; that results in unsafe HTML. This fixes XSS exploitable by admins by editing following interface messages: * growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback * growthexperiments-mentor-dashboard-mentee-overview-intro * growthexperiments-mentor-dashboard-resources-intro Bug: T289063 Change-Id: I2bd8e98e3b31dce0d2b49707e6e38bd342949314 --- includes/MentorDashboard/Modules/MenteeOverview.php | 4 ++-- includes/MentorDashboard/Modules/Resources.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/MentorDashboard/Modules/MenteeOverview.php b/includes/MentorDashboard/Modules/MenteeOverview.php index 0f8e14aa..651079b4 100644 --- a/includes/MentorDashboard/Modules/MenteeOverview.php +++ b/includes/MentorDashboard/Modules/MenteeOverview.php @@ -16,7 +16,7 @@ class MenteeOverview extends BaseModule { * @inheritDoc */ protected function getSubheader() { - return $this->msg( 'growthexperiments-mentor-dashboard-mentee-overview-intro' )->text(); + return $this->msg( 'growthexperiments-mentor-dashboard-mentee-overview-intro' )->escaped(); } /** @@ -30,7 +30,7 @@ class MenteeOverview extends BaseModule { * @inheritDoc */ protected function getBody() { - return Html::rawElement( + return Html::element( 'div', [ 'class' => 'growthexperiments-mentor-dashboard-module-mentee-overview-content' diff --git a/includes/MentorDashboard/Modules/Resources.php b/includes/MentorDashboard/Modules/Resources.php index db3a9e43..0643bebe 100644 --- a/includes/MentorDashboard/Modules/Resources.php +++ b/includes/MentorDashboard/Modules/Resources.php @@ -51,7 +51,7 @@ class Resources extends BaseModule { * @inheritDoc */ protected function getSubheader() { - return $this->msg( 'growthexperiments-mentor-dashboard-resources-intro' )->text(); + return $this->msg( 'growthexperiments-mentor-dashboard-resources-intro' )->escaped(); } /** -- 2.20.1