From 6bb390528d1aed4869d2ba90ae3fe24e22acce1c Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Fri, 20 Aug 2021 15:42:38 -0700 Subject: [PATCH] SECURITY: Fix XSS via User-agent or XFF header on voter list The return type of ListPager::formatValue() is expected to be escaped HTML, but these values were not being escaped. Bug: T289385 Change-Id: I8dd600cdc7e4b57492d50a5b4c4f0ad5e1c2a8ef --- includes/Pages/ListPager.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/includes/Pages/ListPager.php b/includes/Pages/ListPager.php index f85b44f..e26fc9c 100644 --- a/includes/Pages/ListPager.php +++ b/includes/Pages/ListPager.php @@ -84,9 +84,9 @@ class ListPager extends TablePager { switch ( $name ) { case 'vote_timestamp': if ( $this->isAdmin ) { - return $this->getLanguage()->timeanddate( $value ); + return htmlspecialchars( $this->getLanguage()->timeanddate( $value ) ); } else { - return $this->getLanguage()->date( $value ); + return htmlspecialchars( $this->getLanguage()->date( $value ) ); } case 'vote_ip': if ( $this->election->endDate < wfTimestamp( @@ -106,7 +106,7 @@ class ListPager extends TablePager { ) { return ''; } else { - return $value; + return htmlspecialchars( $value ); } case 'vote_xff': if ( $this->election->endDate < wfTimestamp( @@ -116,20 +116,20 @@ class ListPager extends TablePager { ) { return ''; } else { - return $value; + return htmlspecialchars( $value ); } case 'vote_cookie_dup': $value = !$value; if ( $value ) { return ''; } else { - return $this->msg( 'securepoll-vote-duplicate' )->text(); + return $this->msg( 'securepoll-vote-duplicate' )->escaped(); } case 'vote_token_match': if ( $value ) { return ''; } else { - return $this->msg( 'securepoll-vote-csrf' )->text(); + return $this->msg( 'securepoll-vote-csrf' )->escaped(); } case 'details': $voteId = intval( $this->mCurrentRow->vote_id ); -- 2.31.1