[Pkg-mediawiki-commits] r409 - in mediawiki-extensions/branches/wheezy/debian: . patches
Thorsten Glaser
tg at alioth.debian.org
Mon Dec 17 16:26:46 UTC 2012
Author: tg
Date: 2012-12-17 16:26:45 +0000 (Mon, 17 Dec 2012)
New Revision: 409
Modified:
mediawiki-extensions/branches/wheezy/debian/changelog
mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
Log:
and here?\226?\128?\153s the fix for the javascript injection
Modified: mediawiki-extensions/branches/wheezy/debian/changelog
===================================================================
--- mediawiki-extensions/branches/wheezy/debian/changelog 2012-12-17 14:40:13 UTC (rev 408)
+++ mediawiki-extensions/branches/wheezy/debian/changelog 2012-12-17 16:26:45 UTC (rev 409)
@@ -1,3 +1,9 @@
+mediawiki-extensions (2.10) unstable; urgency=high
+
+ * RSS_Reader: fix Javascript injection (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de> Mon, 17 Dec 2012 17:21:32 +0100
+
mediawiki-extensions (2.9) unstable; urgency=low
* Collection: fix downloading generated PDFs from the render server
Modified: mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch 2012-12-17 14:40:13 UTC (rev 408)
+++ mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch 2012-12-17 16:26:45 UTC (rev 409)
@@ -10,6 +10,7 @@
a CSS class that can be used for styling RSS output instead
* XHTML/1.0 Transitional validity of output
* fix a bunch of PHP warnings
+* fix a user security issue wrt. HTML in RSS <title>s
Also add documentation of these changes as README.Debian and point to
upstream's documentation in form of a wikipage.
@@ -97,6 +98,17 @@
if ($dispTitle) { //check if title should be displayed
$output .=
'<div class="RSSReader-head">'.
+@@ -209,7 +215,9 @@ function efCreateRSSReader($input, $argv
+ $output .= '<a href="'.$item['link'].'" ';
+ //decide if nofollow is needed
+ if ($egNoFollow) $output .= 'rel="nofollow"';
+- $item_title=preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['title']));
++ $item_title=preg_replace("|\[rsslist:.+?\]|", "",
++ htmlspecialchars(html_entity_decode($rss->unhtmlentities($item['title']),
++ ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
+ $output .= '>'.$item_title.'</a>';
+ if ($text) {
+ $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
+++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
@@ -149,14 +149,14 @@ class lastRSS {
More information about the Pkg-mediawiki-commits
mailing list