[Pkg-mediawiki-devel] Bug#696179: Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

Thorsten Glaser t.glaser at tarent.de
Mon Dec 17 18:44:55 UTC 2012

On Mon, 17 Dec 2012, Platonides wrote:

> With a quick glance, it misses to escape the output everywhere.

Right, when enabling text mode, it probably (not yet
tested, I’m about to head home) will execute scripts
as well. The content is a bit harder to fix though,
as, in contrast to the title, it _is_ supposed to
contain HTML of some sort.

Does Mediawiki have an API which you can pass some
string of HTML which will throw out all unknown or
“unsafe” (whatever that means) tags, tidy it up to
produce valid XHTML, and return that? Otherweise,
I guess Suggests: php-htmlpurifier and using that
if existent, saying “I don’t wanna” if not and the
text mode (as opposed to the default just-the-headlines
mode) is enabled is the way forward.

tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

More information about the Pkg-mediawiki-devel mailing list