SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

author Bartosz Dziewoński <matma.rex@gmail.com>

Mon, 2 Mar 2020 16:08:15 +0000 (17:08 +0100)

committer Reedy <reedy@wikimedia.org>

Thu, 26 Mar 2020 14:02:20 +0000 (14:02 +0000)
author Bartosz Dziewoński <matma.rex@gmail.com>
Mon, 2 Mar 2020 16:08:15 +0000 (17:08 +0100)
committer Reedy <reedy@wikimedia.org>
Thu, 26 Mar 2020 14:02:20 +0000 (14:02 +0000)
diff --git a/resources/src/jquery/jquery.makeCollapsible.js b/resources/src/jquery/jquery.makeCollapsible.js

index de307a6..32a5d3d 100644 (file)
--- a/resources/src/jquery/jquery.makeCollapsible.js
+++ b/resources/src/jquery/jquery.makeCollapsible.js
@@ -243,6 +243,7 @@
                         } else {
                                 collapsibleId = $collapsible.attr( 'id' ) || '';
                                 if ( collapsibleId.indexOf( 'mw-customcollapsible-' ) === 0 ) {
+                                       collapsibleId = $.escapeSelector( collapsibleId );
                                         $customTogglers = $( '.' + collapsibleId.replace( 'mw-customcollapsible', 'mw-customtoggle' ) )
                                                 .addClass( 'mw-customtoggle' );
                                 }
author	Bartosz Dziewoński <matma.rex@gmail.com>
	Mon, 2 Mar 2020 16:08:15 +0000 (17:08 +0100)
committer	Reedy <reedy@wikimedia.org>
	Thu, 26 Mar 2020 14:02:20 +0000 (14:02 +0000)