From 4cf2db77fda62c25065b3b562056f2a7ab917705 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Tue, 6 Jun 2006 06:21:50 +0000 Subject: [PATCH] * Edit security precautions in raw HTML mode, etc --- RELEASE-NOTES | 1 + includes/EditPage.php | 38 ++++++++++++++++++++++---------------- languages/Messages.php | 7 +++++++ 3 files changed, 30 insertions(+), 16 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index dbd708ff05..59c0cfe784 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -438,6 +438,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * Fix for HTML headings improperly not detected with preceding/following text * Section extraction and replacement functions merged into one implementation on the Parser object, so they can't get out of sync with each other. +* Edit security precautions in raw HTML mode, etc == Compatibility == diff --git a/includes/EditPage.php b/includes/EditPage.php index 341427b63a..461403da43 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -23,7 +23,7 @@ class EditPage { var $formtype; var $firsttime; var $lastDelete; - var $mTokenOk = true; + var $mTokenOk = false; var $tooBig = false; var $kblength = false; var $missingComment = false; @@ -358,19 +358,17 @@ class EditPage { $this->preview = $request->getCheck( 'wpPreview' ) || $request->getCheck( 'wpLivePreview' ); $this->diff = $request->getCheck( 'wpDiff' ); - if( !$this->preview ) { - if ( $this->tokenOk( $request ) ) { - # Some browsers will not report any submit button - # if the user hits enter in the comment box. - # The unmarked state will be assumed to be a save, - # if the form seems otherwise complete. - wfDebug( "$fname: Passed token check.\n" ); - } else { - # Page might be a hack attempt posted from - # an external site. Preview instead of saving. - wfDebug( "$fname: Failed token check; forcing preview\n" ); - $this->preview = true; - } + if ( $this->tokenOk( $request ) ) { + # Some browsers will not report any submit button + # if the user hits enter in the comment box. + # The unmarked state will be assumed to be a save, + # if the form seems otherwise complete. + wfDebug( "$fname: Passed token check.\n" ); + } else { + # Page might be a hack attempt posted from + # an external site. Preview instead of saving. + wfDebug( "$fname: Failed token check; forcing preview\n" ); + $this->preview = true; } } $this->save = ! ( $this->preview OR $this->diff ); @@ -1115,7 +1113,7 @@ END # For a bit more sophisticated detection of blank summaries, hash the # automatic one and pass that in a hidden field. $autosumm = $this->autoSumm ? $this->autoSumm : md5( $this->summary ); - $wgOut->addHTML( "\n" ); + $wgOut->addHtml( wfHidden( 'wpAutoSummary', $autosumm ) ); if ( $this->isConflict ) { require_once( "DifferenceEngine.php" ); @@ -1276,9 +1274,17 @@ END $parserOptions = ParserOptions::newFromUser( $wgUser ); $parserOptions->setEditSection( false ); + global $wgRawHtml; + if( $wgRawHtml && !$this->mTokenOk ) { + // Could be an offsite preview attempt. This is very unsafe if + // HTML is enabled, as it could be an attack. + return $wgOut->parse( "
" . + wfMsg( 'session_fail_preview_html' ) . "
" ); + } + # don't parse user css/js, show message about preview # XXX: stupid php bug won't let us use $wgTitle->isCssJsSubpage() here - + if ( $this->isCssJsSubpage ) { if(preg_match("/\\.css$/", $wgTitle->getText() ) ) { $previewtext = wfMsg('usercsspreview'); diff --git a/languages/Messages.php b/languages/Messages.php index 98b4dc8f3d..ec3ba6292e 100644 --- a/languages/Messages.php +++ b/languages/Messages.php @@ -513,6 +513,13 @@ If you are here by mistake, just click your browser's '''back''' button.", Please try again. If it still doesn\'t work, try logging out and logging back in.', 'previewconflict' => 'This preview reflects the text in the upper text editing area as it will appear if you choose to save.', +'session_fail_preview_html' => 'Sorry! We could not process your edit due to a loss of session data. + +\'\'Because this wiki has raw HTML enabled, the preview is hidden as a precaution against JavaScript attacks.\'\' + +If this is a legitimate edit attempt, please try again. If it still doesn\'t work, try logging out and logging back in.', +'previewconflict' => 'This preview reflects the text in the upper +text editing area as it will appear if you choose to save.', 'importing' => 'Importing $1', 'editing' => 'Editing $1', 'editingsection' => 'Editing $1 (section)', -- 2.20.1