From bb22fa7ae3c20c1cc8cfeaaff61553577081780f Mon Sep 17 00:00:00 2001 From: csteipp Date: Mon, 19 May 2014 12:00:57 -0700 Subject: [PATCH] SECURITY: Don't parse usernames as wikitext On Special:PasswordReset, don't parse the username as wikitext since the wikitext is parsed according to the wiki's configuration (might include wgRawHtml), and the wiki may be private. Bug: 65501 Change-Id: Ic3e5d42e1be5acc42ba89ae853c5ecbfec04fa91 --- includes/specials/SpecialPasswordReset.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php index 14f3ccd3d6..c60b347543 100644 --- a/includes/specials/SpecialPasswordReset.php +++ b/includes/specials/SpecialPasswordReset.php @@ -210,7 +210,8 @@ class SpecialPasswordReset extends FormSpecialPage { $firstUser = $users[0]; if ( !$firstUser instanceof User || !$firstUser->getID() ) { - return array( array( 'nosuchuser', $data['Username'] ) ); + // Don't parse username as wikitext (bug 65501) + return array( array( 'nosuchuser', wfEscapeWikiText( $data['Username'] ) ) ); } // Check against the rate limiter @@ -237,7 +238,7 @@ class SpecialPasswordReset extends FormSpecialPage { // All the users will have the same email address if ( $firstUser->getEmail() == '' ) { // This won't be reachable from the email route, so safe to expose the username - return array( array( 'noemail', $firstUser->getName() ) ); + return array( array( 'noemail', wfEscapeWikiText( $firstUser->getName() ) ) ); } // We need to have a valid IP address for the hook, but per bug 18347, we should -- 2.20.1