Template talk:XSS alert
Using Widgets extension to avoid these
I created Extension:Widgets in part because security is very important and one of the goals for http://www.mediawikiwidgets.org is to solve some of the problems as well as create a community of reviewers for things that are simply insert some parametrized HTML/JS/CSS into the pages.
Any ideas how this can be perfected and used wider in MediaWiki community?
I'll appreciate any comments.
Sergey Chernyshev 17:58, 5 March 2010 (UTC)
- extension widgets is great. Sorry no one responded. Igottheconch 00:39, 16 December 2011 (UTC)
clearer explanation needed
"strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML"
Can someone explain how this is done in the template, or link to a page on how this is done? I have no idea what this all means. Adamtheclown 16:53, 24 November 2010 (UTC)
- See XSS. What you precisely have to do to fix the issue can vary depending on what you're doing, but 80% of the time all that is required is to pass output through
htmlspecialcharsbefore outputing content in an extension. Bawolff 19:50, 24 November 2010 (UTC)
- thank you bawolff I found this link to be very helpful. Igottheconch 01:57, 13 December 2011 (UTC)
Is version 1.16.2 and later no longer vulnerable to xss?
On the mediawiki IRC:
Is this true?
"MediaWiki prior to version 1.16.2 is affected by a cross-site scripting vulnerability. Incorrect parsing of CSS comments allowed dangerous tokens to be passed to the browser."? source:  so if i have after mediawiki 1.16.1 i am safe?
- 1.16.2 was released due to an IE XSS (privacy injection in other browsers) and a php execution vuln for Windows and possibly Novell servers.
- 1.16.3 Was for more similar vectors, and a IE6 XSS, and a transwiki vuln
- 1.16.4 and 1.16.5 was because of that same IE6 XSS, and a vuln in $wgBlockDisablesLogin
- In any case, 1.16 is obsolete. We don't backport security fixes to it anymore. You should update to 1.17, or better yet 1.18.
- so i have 1.16.5 is it still vulnerable to xss attacks?
- dunno. Not the ones that were fixed at the least. That said, we released 1.17.1 because of leakage on private wikis, and it's possible that's still around in 1.16
Igottheconch 01:55, 13 December 2011 (UTC)