From 31ded9e6306823fa90151bffb00226aae84ff5df Mon Sep 17 00:00:00 2001 From: Martin Urbanec Date: Sat, 21 Aug 2021 21:34:16 +0200 Subject: [PATCH] SECURITY: Fix a bunch of XSS holes in Mentor dashboard Pattern: $('').append() Solution: use .text() instead of .append(), which makes jQuery to escape the string. Alternative solution would be to use mw.message(...).escaped() or mw.message(...).parse() instead. Change-Id: I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6 --- ...entorDashboard.MenteeOverview.FilterDropdown.js | 4 ++-- ...thExperiments.MentorDashboard.MenteeOverview.js | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js index ace41f15..6265c30c 100644 --- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js +++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.FilterDropdown.js @@ -32,7 +32,7 @@ this.$filterDropdown = $( '
' ) .addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-filter-dropdown' ) .append( - $( '

' ).append( + $( '

' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline' ) ), $( '
' ) @@ -48,7 +48,7 @@ } ).$element ), $( '
' ), - $( '

' ).append( + $( '

' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline' ) ), new OO.ui.FieldLayout( this.filterDropdownOnlyStarred, { diff --git a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js index bf5af638..e4b98f2e 100644 --- a/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js +++ b/modules/mentordashboard/ext.growthExperiments.MentorDashboard.MenteeOverview.js @@ -53,10 +53,10 @@ width: null, // HACK: setting label should not be necessary in theory, but the label doesn't appear without it label: mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ), - $label: $( '

' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ) ), + $label: $( '

' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-headline' ) ), $content: $( '
' ).addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-info-content' ).append( - $( '

' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-text' ) ), - $( '

' ).append( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline' ) ), + $( '

' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-text' ) ), + $( '

' ).text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline' ) ), $( '
' ).addClass( 'growthexperiments-mentor-dashboard-overview-info-legend-content' ).append( this.makeLegendIcon( 'unStar', @@ -162,7 +162,7 @@ .addClass( 'growthexperiments-mentor-dashboard-overview-info-legend-content-icon' ) .append( new OO.ui.IconWidget( { icon: iconName } ).$element, - $( '

' ).append( description ) + $( '

' ).text( description ) ); }; @@ -174,7 +174,7 @@ return $( '' ) .attr( 'data-field', fieldName ) .addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-value' ) - .append( value ); + .text( value ); }; MenteeOverview.prototype.sortTable = function ( field, dir ) { @@ -276,11 +276,11 @@ 'href', ( new mw.Title( userData.username, 2 ) ).getUrl() ) - .append( userData.username ) + .text( userData.username ) ), $( '' ) .addClass( 'growthexperiments-mentor-dashboard-module-mentee-overview-table-activity' ) - .append( mw.msg( + .text( mw.msg( 'growthexperiments-mentor-dashboard-mentee-overview-active-ago', userData.last_active.human ) ) -- 2.20.1