* Fix XSS in Special:Search with extended engine features ("did you mean")

Switched a couple of manually created '<a href>'s to use Linker functions,
and put an htmlspecialchars() on the 'did you mean' snippet result which was
spewing raw input-derived text into output (bad!)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 2ccaa04..604162b 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -468,7 +468,7 @@ The following extensions are migrated into MediaWiki 1.14:
   that STDIN can be used for page list
 * Sanitizer::decodeCharReferences() now decodes the XHTML "'" character
   entity (loosely related to bug 14365)
-
+* Fix XSS in Special:Search with extended engine features ("did you mean")
 
 === API changes in 1.14 ===
 

diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index 08d4f45..c7678d2 100644 (file)
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -113,9 +113,11 @@ class SpecialSearch {
         * @param string $term
         */
        public function showResults( $term ) {
-               global $wgOut, $wgDisableTextSearch, $wgContLang;
+               global $wgOut, $wgUser, $wgDisableTextSearch, $wgContLang;
                wfProfileIn( __METHOD__ );
                
+               $sk = $wgUser->getSkin();
+               
                $this->searchEngine = SearchEngine::create();
                $search =& $this->searchEngine;
                $search->setLimitOffset( $this->limit, $this->offset );
@@ -166,8 +168,9 @@ class SpecialSearch {
                                array( 'search' => $textMatches->getSuggestionQuery(), 'fulltext'       => wfMsg('search') ),
                                $this->powerSearchOptions()
                        );
-                       $suggestLink = '<a href="'.$st->escapeLocalURL($stParams).'">'.
-                               $textMatches->getSuggestionSnippet().'</a>';
+                       $suggestLink = $sk->makeKnownLinkObj( $st,
+                               htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+                               $stParams );
 
                        $this->didYouMeanHtml = '<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>';
                }
@@ -384,7 +387,7 @@ class SpecialSearch {
         * @param array $terms terms to highlight
         */
        protected function showHit( $result, $terms ) {
-               global $wgContLang, $wgLang;
+               global $wgContLang, $wgLang, $wgUser;
                wfProfileIn( __METHOD__ );
 
                if( $result->isBrokenTitle() ) {
@@ -392,6 +395,7 @@ class SpecialSearch {
                        return "<!-- Broken link in search result -->\n";
                }
 
+               $sk = $wgUser->getSkin();
                $t = $result->getTitle();
 
                $link = $this->sk->makeKnownLinkObj( $t, $result->getTitleSnippet($terms));
@@ -457,8 +461,8 @@ class SpecialSearch {
                                array('search'    => wfMsgForContent('searchrelated').':'.$t->getPrefixedText(),
                                      'fulltext'  => wfMsg('search') ));
                        
-                       $related = ' -- <a href="'.$st->escapeLocalURL($stParams).'">'. 
-                               wfMsg('search-relatedarticle').'</a>';
+                       $related = ' -- ' . $sk->makeKnownLinkObj( $st,
+                               wfMsg('search-relatedarticle'), $stParams );
                }
 
                // Include a thumbnail for media files...
@@ -942,8 +946,9 @@ class SpecialSearchOld {
                                        'fulltext'      => wfMsg('search')),
                                        $this->powerSearchOptions());
                                        
-                       $suggestLink = '<a href="'.$st->escapeLocalURL($stParams).'">'.
-                                       $textMatches->getSuggestionSnippet().'</a>';
+                       $suggestLink = $sk->makeKnownLinkObj( $st,
+                               htmlspecialchars( $textMatches->getSuggestionSnippet() ),
+                               $stParams );
                                        
                        $wgOut->addHTML('<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>');
                }
@@ -1233,8 +1238,8 @@ class SpecialSearchOld {
                                array('search'    => wfMsgForContent('searchrelated').':'.$t->getPrefixedText(),
                                      'fulltext'  => wfMsg('search') ));
                        
-                       $related = ' -- <a href="'.$st->escapeLocalURL($stParams).'">'. 
-                               wfMsg('search-relatedarticle').'</a>';
+                       $related = ' -- ' . $sk->makeKnownLinkObj( $st,
+                               wfMsg('search-relatedarticle'), $stParams );
                }
                                
                // Include a thumbnail for media files...