wikimedia/mediawiki-extensions-Popups
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/Popups synced 2024-11-23 15:16:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Run mw.html.escape on page extract and title

Browse source 
Add tests for XSS attack

Bug: T69180
Change-Id: I0c423b1046257a0ddacec1315bafcbf1f94b9958
(cherry picked from commit a98b009b49)
This commit is contained in:
Prateek Saxena 2014-11-26 07:51:03 +05:30 committed by Mglaser
parent e86b00ac61
commit 9ae6a61eef
2 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
resources/ext.popups.renderer.article.js
View file

@ -147,6 +147,8 @@
* @return {String}
*/
article.getProcessedHtml = function ( extract, title ) {
extract = mw.html.escape( extract );
title = mw.html.escape( title );
title = title.replace( /([.?*+^$[\]\\(){}|-])/g, '\\$1' ); // Escape RegExp elements
var regExp = new RegExp( '(^|\\s)(' + title + ')(\\s|$)', 'ig' );
// Make title bold in the extract text

7
tests/qunit/ext.popups.renderer.article.test.js
View file

@ -2,7 +2,7 @@
QUnit.module( 'ext.popups' );
QUnit.test( 'render.article.getProcessedHtml', function ( assert ) {
QUnit.expect( 6 );
QUnit.expect( 7 );
function test ( extract, title, expected ) {
assert.equal(
@ -41,6 +41,11 @@
'<b>Brackets</b> ) are funny ( when not used properly'
);
test(
'Epic XSS <script>alert("XSS")</script> is epic', 'Epic XSS',
'<b>Epic XSS</b> &lt;script&gt;alert&lt;/script&gt; is epic'
);
} );
} ) ( jQuery, mediaWiki );