Template talk:XSS alert

From mediawiki.org
Latest comment: 12 years ago by Igottheconch in topic Using Widgets extension to avoid these

Using Widgets extension to avoid these[edit]

I created Extension:Widgets in part because security is very important and one of the goals for http://www.mediawikiwidgets.org is to solve some of the problems as well as create a community of reviewers for things that are simply insert some parametrized HTML/JS/CSS into the pages.

Any ideas how this can be perfected and used wider in MediaWiki community?

Any concerns?

I'll appreciate any comments.

Thank you,

Sergey Chernyshev 17:58, 5 March 2010 (UTC)Reply

extension widgets is great. Sorry no one responded. Igottheconch 00:39, 16 December 2011 (UTC)Reply

clearer explanation needed[edit]

"strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML"

Can someone explain how this is done in the template, or link to a page on how this is done? I have no idea what this all means. Adamtheclown 16:53, 24 November 2010 (UTC)Reply

See XSS. What you precisely have to do to fix the issue can vary depending on what you're doing, but 80% of the time all that is required is to pass output through htmlspecialchars before outputing content in an extension. Bawolff 19:50, 24 November 2010 (UTC)Reply
thank you bawolff I found this link to be very helpful. Igottheconch 01:57, 13 December 2011 (UTC)Reply

Is version 1.16.2 and later no longer vulnerable to xss?[edit]

On the mediawiki IRC:

Is this true?

"MediaWiki prior to version 1.16.2 is affected by a cross-site scripting vulnerability. Incorrect parsing of CSS comments allowed dangerous tokens to be passed to the browser."? source: [1] so if i have after mediawiki 1.16.1 i am safe?

Response:

1.16.2 was released due to an IE XSS (privacy injection in other browsers) and a php execution vuln for Windows and possibly Novell servers.
1.16.3 Was for more similar vectors, and a IE6 XSS, and a transwiki vuln
1.16.4 and 1.16.5 was because of that same IE6 XSS, and a vuln in $wgBlockDisablesLogin
In any case, 1.16 is obsolete. We don't backport security fixes to it anymore. You should update to 1.17, or better yet 1.18.

question:

so i have 1.16.5 is it still vulnerable to xss attacks?

Response:

dunno. Not the ones that were fixed at the least. That said, we released 1.17.1 because of leakage on private wikis, and it's possible that's still around in 1.16

Igottheconch 01:55, 13 December 2011 (UTC)Reply