From 42d0347582b14ff7508ffc6d3976cb188a30dac1 Mon Sep 17 00:00:00 2001
From: Prateek Saxena <prtksxna@gmail.com>
Date: Tue, 24 Mar 2015 13:31:19 +0530
Subject: [PATCH] renderer.article: Ignore thumnail if the URL has suspicious
 characters

If the URL of the thumbnail has suspicious characters like ', " or \
return a <span> instead of trying to render a thumbnail.

Bug: T88171
Change-Id: Ide052ea2a7de166599d077a385a6e788bfa63302
---
 resources/ext.popups.renderer.article.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/resources/ext.popups.renderer.article.js b/resources/ext.popups.renderer.article.js
index 728606bca..020457747 100644
--- a/resources/ext.popups.renderer.article.js
+++ b/resources/ext.popups.renderer.article.js
@@ -249,11 +249,18 @@
 		var svg = mw.popups.supportsSVG;
 
 		if (
-			!thumbnail || // No thumbnail
+			// No thumbnail
+			!thumbnail ||
 			// Image too small for landscape display
 			( !tall && thumbnail.width < article.SIZES.landscapeImage.w ) ||
 			// Image too small for protrait display
-			( tall && thumbnail.height < article.SIZES.portraitImage.h )
+			( tall && thumbnail.height < article.SIZES.portraitImage.h ) ||
+			// These characters in URL that could inject CSS and thus JS
+			(
+				thumbnail.source.indexOf( '\\' ) > -1 ||
+				thumbnail.source.indexOf( '\'' ) > -1 ||
+				thumbnail.source.indexOf( '\"' ) > -1
+			)
 		) {
 			return $( '<span>' );
 		}