From 6ad67513d36a7df995db1ed076a274caf41f47f4 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Thu, 28 Apr 2022 05:01:18 -0700 Subject: [PATCH] Prevent XSS from "stripItem" replacement strings in attribute Previously when $wgRSSAllowLinkTag was true, you could put an tag containing unescaped ", inside another attribute to escape from the attribute and create an XSS. This makes the marker include " and ', so if they are put anywhere where quotes aren't allowed, the marker will get mangled and not replaced Bug: T307028 --- includes/RSSParser.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/includes/RSSParser.php b/includes/RSSParser.php index 560c6a1..e3e2514 100644 --- a/includes/RSSParser.php +++ b/includes/RSSParser.php @@ -58,7 +58,8 @@ class RSSParser { $this->url = $url; - $this->markerString = wfRandomString( 32 ); + // Quote marks to prevent XSS (T307028) + $this->markerString = "'\"" . wfRandomString( 32 ); $this->stripItems = []; $this->cache = MediaWikiServices::getInstance()->getMainWANObjectCache(); -- 2.30.2