wikimedia/mediawiki-extensions-Popups
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/Popups synced 2024-11-12 09:18:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

renderer.article: Ignore thumnail if the URL has suspicious characters

Browse source 
If the URL of the thumbnail has suspicious characters like ', " or \
return a <span> instead of trying to render a thumbnail.

Bug: T88171
Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302
This commit is contained in:
Prateek Saxena 2015-03-24 13:31:19 +05:30
parent cd3aeeca41
commit 42d0347582
1 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
resources/ext.popups.renderer.article.js
View file

@ -249,11 +249,18 @@
var svg = mw.popups.supportsSVG;
if (
!thumbnail || // No thumbnail
// No thumbnail
!thumbnail ||
// Image too small for landscape display
( !tall && thumbnail.width < article.SIZES.landscapeImage.w ) ||
// Image too small for protrait display
( tall && thumbnail.height < article.SIZES.portraitImage.h )
( tall && thumbnail.height < article.SIZES.portraitImage.h ) ||
// These characters in URL that could inject CSS and thus JS
(
thumbnail.source.indexOf( '\\' ) > -1 ||
thumbnail.source.indexOf( '\'' ) > -1 ||
thumbnail.source.indexOf( '\"' ) > -1
)
) {
return $( '<span>' );
}