User:CSteipp (WMF)/Training/VulnTagging medium

WARNING: This is a vulnerable script for demonstration. Don't use it! This code has used naive, but commonly-seen, fixes for the SQL injections and XSS in User:CSteipp/Training/VulnTagging_easy. See if you can find ways to still inject SQL and javascript.

setHook( 'vtag', 'wfAddTags' ); return true; }

function wfAddTags( $input, $argv, $parser ) { $articleId = $parser->getTitle->getArticleID;

if ( isset( $argv['articleid'] ) ) { $articleId = mysql_real_escape_string( $argv['articleid'] ); }

$dbr = wfGetDB( DB_SLAVE );

$res = $dbr->select(		'vulntags',		array( 'vt_tid', 'vt_tag_text' ),		array( "vt_article_id = $articleId" ),		__METHOD__	);

$tags = array;

foreach ( $res as $tag ) { $otherpages = Linker::link(			SpecialPage::getTitleFor( 'ArticlesWithTag', $tag->vt_tag_text ),			$tag->vt_tag_text		); $tags[] = Html::rawElement(			'li',			array( 'id'=>'vuln-tag-list', 'class'=>'tag-'.$tag->vt_tid ),			$otherpages		); }

$articleId = htmlspecialchars( $articleId );

return "". implode( "\n", $tags ). ""; }