dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 19f844f) | patch
SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;
authorBrian Wolff <bawolff+wn@gmail.com>
Mon, 6 Feb 2017 03:00:39 +0000 (03:00 +0000)
committerBrian Wolff <bawolff+wn@gmail.com>
Tue, 28 Mar 2017 21:51:44 +0000 (21:51 +0000)
commit1c7889446d56045dd196a9ebbed634430d90efc7
tree6af4bf95f54088fab0f4c7cc4b3f7452da28fee1tree | snapshot
parent19f844f7f09e26987b393aee5abc5514507793afcommit | diff
SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;

System messages may take parameters from untrusted sources. This
may include taking parameters from urls given by unauthenticated
users even if the wiki is a read-only wiki. Allowing <html> tags
in such a context seems like an accident waiting to happen.

Bug: T156184
Change-Id: I661f482986d319cf41da1d3e7b20a0f028a42e90
includes/OutputPage.php diff | blob | history
includes/cache/MessageCache.php diff | blob | history
includes/parser/CoreTagHooks.php diff | blob | history
includes/parser/ParserOptions.php diff | blob | history
languages/i18n/en.json diff | blob | history
languages/i18n/qqq.json diff | blob | history
tests/phpunit/includes/MessageTest.php diff | blob | history
Wiklou, le Wiki du Wiklou