From 452e1b8ecdb69ba3f51faf3998d45bf56a27cf7e Mon Sep 17 00:00:00 2001
From: Max Semenik <maxsem.wiki@gmail.com>
Date: Fri, 29 Sep 2017 16:50:55 -0700
Subject: [PATCH] SECURITY: Escape { and } in attributes

This prevents them from being messed with by language converter.
Otherwise, with primary $wgFragmentMode set to HTML5, it's possible
to alter HTML by inserting conversion syntax -{|}- into wikilink
fragments on wikis with language conversion enabled.

Sanitizer already does the same with attributes for elements present
in wikitext.

Bug: T176176
Change-Id: I1304024654da66438a7f095d5e2e2b8b492351a2
---
 includes/Html.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/includes/Html.php b/includes/Html.php
index 8fe4dbe513..7bf7477623 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -563,7 +563,10 @@ class Html {
 					"<" => '&lt;',
 					"\n" => '&#10;',
 					"\r" => '&#13;',
-					"\t" => '&#9;'
+					"\t" => '&#9;',
+					// T176176: prevent attributes from interacting with language converter
+					'{' => '&#123;',
+					'}' => '&#125;',
 				];
 				$ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
 			}
-- 
2.14.1