From 939faea318d9c2107fab3a584bc1c023f3c592e9 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 29 Jan 2016 04:46:32 -0500
Subject: [PATCH] Require strip marker names to not have & ' " < or > in them

This is a little far fetched, but meant as a hardening step. No
valid strip marker name should have any of those things in them.
If a malicious user managed to somehow control the strip marker name,
he could make a strip marker that "spanned" different html contexts.
Note: I've checked carefully - its impossible for a user to control
the strip marker name. This is just a hardening step against any
future features.

For example, if someone could make a strip marker using the marker
name "a&#039;,&#039;b", then they could create an xss by feeding
"\x7UNIQfa+QINU\x7f" to charinsert, which will split on + sign,
and create output like
<a onclick="mw.toolbar.insertTags(&#039\x7FUNIQa&#039;,&#039;bQIN\X7f...
It just seems safer to not allow any of the special characters in
strip marker names - especially because there is no need to ever
use them, and to my knowledge there is no example of anyone ever
actually using such a special character in the marker name.
and not recognize either part as a strip marker.

Change-Id: I798d31aff4e48b4c6da886530c15867226c953d2
---
 includes/parser/StripState.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/parser/StripState.php b/includes/parser/StripState.php
index c168aa69fa..4ed176ce28 100644
--- a/includes/parser/StripState.php
+++ b/includes/parser/StripState.php
@@ -50,7 +50,7 @@ class StripState {
 			'nowiki' => [],
 			'general' => []
 		];
-		$this->regex = '/' . Parser::MARKER_PREFIX . "([^\x7f]+)" . Parser::MARKER_SUFFIX . '/';
+		$this->regex = '/' . Parser::MARKER_PREFIX . "([^\x7f<>&'\"]+)" . Parser::MARKER_SUFFIX . '/';
 		$this->circularRefGuard = [];
 	}
 
-- 
2.20.1