(bug 39700) Add htmlspecialchars encoding to label

Adds htmlspecialchars encoding to the link label, passed
into Linker::makeBrokenImageLinkObj.

This fixes a stored XSS (HTML injection) vulnerability.

* Released as part of 1.20wmf10, 1.19.2, 1.18.5

Change-Id: I0e5f9eeb1f3561b1354aecced74f68ae2fa20dfa

diff --git a/includes/Linker.php b/includes/Linker.php
index 7aba444..8e31a1c 100644 (file)
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -865,31 +865,31 @@ class Linker {
         * Make a "broken" link to an image
         *
         * @param $title Title object
-        * @param $html String: link label in htmlescaped text form
+        * @param $label String: link label (plain text)
         * @param $query String: query string
-        * @param $trail String: link trail (HTML fragment)
-        * @param $prefix String: link prefix (HTML fragment)
+        * @param $unused1 Unused parameter kept for b/c
+        * @param $unused2 Unused parameter kept for b/c
         * @param $time Boolean: a file of a certain timestamp was requested
         * @return String
         */
-       public static function makeBrokenImageLinkObj( $title, $html = '', $query = '', $trail = '', $prefix = '', $time = false ) {
+       public static function makeBrokenImageLinkObj( $title, $label = '', $query = '', $unused1 = '', $unused2 = '', $time = false ) {
                global $wgEnableUploads, $wgUploadMissingFileUrl, $wgUploadNavigationUrl;
                if ( ! $title instanceof Title ) {
-                       return "<!-- ERROR -->{$prefix}{$html}{$trail}";
+                       return "<!-- ERROR -->" . htmlspecialchars( $label );
                }
                wfProfileIn( __METHOD__ );
+               if ( $label == '' ) {
+                       $label = $title->getPrefixedText();
+               }
+               $encLabel = htmlspecialchars( $label );
                $currentExists = $time ? ( wfFindFile( $title ) != false ) : false;
 
-               list( $inside, $trail ) = self::splitTrail( $trail );
-               if ( $html == '' )
-                       $html = htmlspecialchars( $title->getPrefixedText() );
-
                if ( ( $wgUploadMissingFileUrl || $wgUploadNavigationUrl || $wgEnableUploads ) && !$currentExists ) {
                        $redir = RepoGroup::singleton()->getLocalRepo()->checkRedirect( $title );
 
                        if ( $redir ) {
                                wfProfileOut( __METHOD__ );
-                               return self::linkKnown( $title, "$prefix$html$inside", array(), wfCgiToArray( $query ) ) . $trail;
+                               return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) );
                        }
 
                        $href = self::getUploadUrl( $title, $query );
@@ -897,10 +897,10 @@ class Linker {
                        wfProfileOut( __METHOD__ );
                        return '<a href="' . htmlspecialchars( $href ) . '" class="new" title="' .
                                htmlspecialchars( $title->getPrefixedText(), ENT_QUOTES ) . '">' .
-                               "$prefix$html$inside</a>$trail";
+                               $encLabel . '</a>';
                } else {
                        wfProfileOut( __METHOD__ );
-                       return self::linkKnown( $title, "$prefix$html$inside", array(), wfCgiToArray( $query ) ) . $trail;
+                       return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) );
                }
        }
 

diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 5036268..453e88a 100644 (file)
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -2442,6 +2442,21 @@ Link with double quotes in title part (literal) and alternate part (interpreted)
 </p>
 !! end
 
+!! test
+Broken image links with HTML captions (bug 39700)
+!! input
+[[File:Nonexistent|<script></script>]]
+[[File:Nonexistent|100px|<script></script>]]
+[[File:Nonexistent|&lt;]]
+[[File:Nonexistent|a<i>b</i>c]]
+!! result
+<p><a href="/index.php?title=Special:Upload&amp;wpDestFile=Nonexistent" class="new" title="File:Nonexistent">&lt;script&gt;&lt;/script&gt;</a>
+<a href="/index.php?title=Special:Upload&amp;wpDestFile=Nonexistent" class="new" title="File:Nonexistent">&lt;script&gt;&lt;/script&gt;</a>
+<a href="/index.php?title=Special:Upload&amp;wpDestFile=Nonexistent" class="new" title="File:Nonexistent">&lt;</a>
+<a href="/index.php?title=Special:Upload&amp;wpDestFile=Nonexistent" class="new" title="File:Nonexistent">abc</a>
+</p>
+!! end
+
 !! test
 Plain link to URL
 !! input