wikimedia/mediawiki-extensions-CategoryTree
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/CategoryTree synced 2024-11-27 09:43:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add output encoding to $category in not found message

Browse source 
This change outputs the not found category as plain text and prevents
parser processing of the category name like '''bold''' or ''italic''.

This affects the root category of the category tree in the sidebar
like on
$wgCategoryTreeSidebarRoot = "Lista d''e Paise d''o munno"
for a situation without parser and
{{#categorytree:Lista d''e Paise d''o munno}}
or
<categorytree>Lista d''e Paise d''o munno</categorytree>
in the content for situations with parser.

A separation for with and without parser is not needed anymore.
Problem described in T18744 which was the reason for change r49471
(9700e2d5) is not reproducible.

This change also prevents that the value in the parameter `target` on
Special:CategoryTree gets interpreted as wikitext and outputs the value
with an output encoding.

  Special:CategoryTree?target=B%27%27%27o%27%27%27ld%20un%3Cu%20onclick%3d%22alert(%27XSS%27)%22%3Eder%3C/u%3Eline

was rendered as

  B<b>o</b>ld un<u>der</u>line

and is now rendered as

  B'''o'''ld un&lt;u onclick="alert('XSS')"&gt;der&lt;/u&gt;line

The parser prevented already JavaScript injection, so there was no
security issue.

Change-Id: I592b23ba965c15b81a2f97686161a4d590331c87
This commit is contained in:
Fomafix 2021-09-10 20:40:13 +00:00 committed by Krinkle
parent 0667bd8087
commit 480ff35722
2 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
includes/CategoryTree.php
View file

@ -381,12 +381,9 @@ class CategoryTree {
if ( !$allowMissing && !$title->getArticleID() ) {
$html .= Html::openElement( 'span', [ 'class' => 'CategoryTreeNotice' ] );
if ( $parser ) {
$html .= $parser->recursiveTagParse(
wfMessage( 'categorytree-not-found', $category )->plain() );
} else {
$html .= wfMessage( 'categorytree-not-found', $category )->parse();
}
$html .= wfMessage( 'categorytree-not-found' )
->plaintextParams( $category )
->parse();
$html .= Html::closeElement( 'span' );
} else {
if ( !$hideroot ) {

5
includes/CategoryTreePage.php
View file

@ -137,7 +137,10 @@ class CategoryTreePage extends SpecialPage {
$output->addHTML( Xml::closeElement( 'div' ) );
} else {
$output->addHTML( Xml::openElement( 'div', [ 'class' => 'CategoryTreeNotice' ] ) );
$output->addHTML( $this->msg( 'categorytree-not-found', $this->target )->parse() );
$output->addHTML( $this->msg( 'categorytree-not-found' )
->plaintextParams( $this->target )
->parse()
);
$output->addHTML( Xml::closeElement( 'div' ) );
}
}