From: Brion Vibber <brion@users.mediawiki.org>
Date: Mon, 5 Jan 2009 20:37:15 +0000 (+0000)
Subject: * Fix XSS in Special:Search with extended engine features ("did you mean")
X-Git-Tag: 1.31.0-rc.0~43561
X-Git-Url: http://git.cyclocoop.org/%24action?a=commitdiff_plain;h=1de9c48715b6560eb868f7aa1007967e4cc07f7f;p=lhc%2Fweb%2Fwiklou.git

* Fix XSS in Special:Search with extended engine features ("did you mean")

Switched a couple of manually created '<a href>'s to use Linker functions,
and put an htmlspecialchars() on the 'did you mean' snippet result which was
spewing raw input-derived text into output (bad!)
---

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 2ccaa04394..604162b28a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -468,7 +468,7 @@ The following extensions are migrated into MediaWiki 1.14:
   that STDIN can be used for page list
 * Sanitizer::decodeCharReferences() now decodes the XHTML "&apos;" character
   entity (loosely related to bug 14365)
-
+* Fix XSS in Special:Search with extended engine features ("did you mean")
 
 === API changes in 1.14 ===
 
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index 08d4f456df..c7678d22e7 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -113,9 +113,11 @@ class SpecialSearch {
 	 * @param string $term
 	 */
 	public function showResults( $term ) {
-		global $wgOut, $wgDisableTextSearch, $wgContLang;
+		global $wgOut, $wgUser, $wgDisableTextSearch, $wgContLang;
 		wfProfileIn( __METHOD__ );
 		
+		$sk = $wgUser->getSkin();
+		
 		$this->searchEngine = SearchEngine::create();
 		$search =& $this->searchEngine;
 		$search->setLimitOffset( $this->limit, $this->offset );
@@ -166,8 +168,9 @@ class SpecialSearch {
 				array( 'search' => $textMatches->getSuggestionQuery(), 'fulltext' 	=> wfMsg('search') ),
 				$this->powerSearchOptions()
 			);
-			$suggestLink = '<a href="'.$st->escapeLocalURL($stParams).'">'.
-				$textMatches->getSuggestionSnippet().'</a>';
+			$suggestLink = $sk->makeKnownLinkObj( $st,
+				htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+				$stParams );
 
 			$this->didYouMeanHtml = '<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>';
 		}
@@ -384,7 +387,7 @@ class SpecialSearch {
 	 * @param array $terms terms to highlight
 	 */
 	protected function showHit( $result, $terms ) {
-		global $wgContLang, $wgLang;
+		global $wgContLang, $wgLang, $wgUser;
 		wfProfileIn( __METHOD__ );
 
 		if( $result->isBrokenTitle() ) {
@@ -392,6 +395,7 @@ class SpecialSearch {
 			return "<!-- Broken link in search result -->\n";
 		}
 
+		$sk = $wgUser->getSkin();
 		$t = $result->getTitle();
 
 		$link = $this->sk->makeKnownLinkObj( $t, $result->getTitleSnippet($terms));
@@ -457,8 +461,8 @@ class SpecialSearch {
 				array('search'    => wfMsgForContent('searchrelated').':'.$t->getPrefixedText(),
 				      'fulltext'  => wfMsg('search') ));
 			
-			$related = ' -- <a href="'.$st->escapeLocalURL($stParams).'">'. 
-				wfMsg('search-relatedarticle').'</a>';
+			$related = ' -- ' . $sk->makeKnownLinkObj( $st,
+				wfMsg('search-relatedarticle'), $stParams );
 		}
 
 		// Include a thumbnail for media files...
@@ -942,8 +946,9 @@ class SpecialSearchOld {
 					'fulltext' 	=> wfMsg('search')),
 					$this->powerSearchOptions());
 					
-			$suggestLink = '<a href="'.$st->escapeLocalURL($stParams).'">'.
-					$textMatches->getSuggestionSnippet().'</a>';
+			$suggestLink = $sk->makeKnownLinkObj( $st,
+				htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+				$stParams );
 			 		
 			$wgOut->addHTML('<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>');
 		}
@@ -1233,8 +1238,8 @@ class SpecialSearchOld {
 				array('search'    => wfMsgForContent('searchrelated').':'.$t->getPrefixedText(),
 				      'fulltext'  => wfMsg('search') ));
 			
-			$related = ' -- <a href="'.$st->escapeLocalURL($stParams).'">'. 
-				wfMsg('search-relatedarticle').'</a>';
+			$related = ' -- ' . $sk->makeKnownLinkObj( $st,
+				wfMsg('search-relatedarticle'), $stParams );
 		}
 				
 		// Include a thumbnail for media files...