Template talk:XSS alert

Using Widgets extension to avoid these
I created Extension:Widgets in part because security is very important and one of the goals for http://www.mediawikiwidgets.org is to solve some of the problems as well as create a community of reviewers for things that are simply insert some parametrized HTML/JS/CSS into the pages.

Any ideas how this can be perfected and used wider in MediaWiki community?

Any concerns?

I'll appreciate any comments.

Thank you,

Sergey Chernyshev 17:58, 5 March 2010 (UTC)

clearer explanation needed
"strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML"

Can someone explain how this is done in the template, or link to a page on how this is done? I have no idea what this all means. Adamtheclown 16:53, 24 November 2010 (UTC)
 * See XSS. What you precisely have to do to fix the issue can vary depending on what you're doing, but 80% of the time all that is required is to pass output through  before outputing content in an extension. Bawolff 19:50, 24 November 2010 (UTC)
 * thank you bawolff I found this link to be very helpful. Igottheconch 01:57, 13 December 2011 (UTC)

Is version 1.16.2 and later no longer vulnerable to xss?
On the mediawiki IRC:

Is this true?

"MediaWiki prior to version 1.16.2 is affected by a cross-site scripting vulnerability. Incorrect parsing of CSS comments allowed dangerous tokens to be passed to the browser."? source: so if i have after mediawiki 1.16.1 i am safe?

Response:


 * 1.16.2 was released due to an IE XSS (privacy injection in other browsers) and a php execution vuln for Windows and possibly Novell servers.


 * 1.16.3 Was for more similar vectors, and a IE6 XSS, and a transwiki vuln


 * 1.16.4 and 1.16.5 was because of that same IE6 XSS, and a vuln in $wgBlockDisablesLogin


 * In any case, 1.16 is obsolete. We don't backport security fixes to it anymore. You should update to 1.17, or better yet 1.18.

question:


 * so i have 1.16.5 is it still vulnerable to xss attacks?

Response:


 * dunno. Not the ones that were fixed at the least. That said, we released 1.17.1 because of leakage on private wikis, and it's possible that's still around in 1.16

Igottheconch 01:55, 13 December 2011 (UTC)