Template talk:XSS alert

From mediawiki.org
Jump to navigation Jump to search

Using Widgets extension to avoid these[edit]

I created Extension:Widgets in part because security is very important and one of the goals for http://www.mediawikiwidgets.org is to solve some of the problems as well as create a community of reviewers for things that are simply insert some parametrized HTML/JS/CSS into the pages.

Any ideas how this can be perfected and used wider in MediaWiki community?

Any concerns?

I'll appreciate any comments.

Thank you,

Sergey Chernyshev 17:58, 5 March 2010 (UTC)

extension widgets is great. Sorry no one responded. Igottheconch 00:39, 16 December 2011 (UTC)

clearer explanation needed[edit]

"strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML"

Can someone explain how this is done in the template, or link to a page on how this is done? I have no idea what this all means. Adamtheclown 16:53, 24 November 2010 (UTC)

See XSS. What you precisely have to do to fix the issue can vary depending on what you're doing, but 80% of the time all that is required is to pass output through htmlspecialchars before outputing content in an extension. Bawolff 19:50, 24 November 2010 (UTC)
thank you bawolff I found this link to be very helpful. Igottheconch 01:57, 13 December 2011 (UTC)

Is version 1.16.2 and later no longer vulnerable to xss?[edit]

On the mediawiki IRC:

Is this true?

"MediaWiki prior to version 1.16.2 is affected by a cross-site scripting vulnerability. Incorrect parsing of CSS comments allowed dangerous tokens to be passed to the browser."? source: [1] so if i have after mediawiki 1.16.1 i am safe?


1.16.2 was released due to an IE XSS (privacy injection in other browsers) and a php execution vuln for Windows and possibly Novell servers.
1.16.3 Was for more similar vectors, and a IE6 XSS, and a transwiki vuln
1.16.4 and 1.16.5 was because of that same IE6 XSS, and a vuln in $wgBlockDisablesLogin
In any case, 1.16 is obsolete. We don't backport security fixes to it anymore. You should update to 1.17, or better yet 1.18.


so i have 1.16.5 is it still vulnerable to xss attacks?


dunno. Not the ones that were fixed at the least. That said, we released 1.17.1 because of leakage on private wikis, and it's possible that's still around in 1.16

Igottheconch 01:55, 13 December 2011 (UTC)