From 44f9adbdf04c0d0f3a82527cae6e669317b49666 Mon Sep 17 00:00:00 2001 From: Catrope Date: Fri, 18 May 2012 12:00:57 -0700 Subject: [PATCH] (bug 36938) XSS in uselang parameter This was caused by the value of getHtmlCode() being injected directly into HTML without escaping. Despite its name, the return value of getHtmlCode() is not actually HTML-safe. Fixed by escaping the language code, wrapping it in double quotes instead of single quotes, and explicitly documenting that getHtmlCode() and getCode() do not return HTML-safe values. Change-Id: I3a908484ba3d4999d7a61ac162617144ca7e703a --- includes/SkinTemplate.php | 6 +++++- languages/Language.php | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index 9807237148..dc16fbdfac 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -298,7 +298,11 @@ class SkinTemplate extends Skin { $tpl->set( 'specialpageattributes', '' ); # obsolete if ( $userlang !== $wgContLang->getHtmlCode() || $userdir !== $wgContLang->getDir() ) { - $attrs = " lang='$userlang' dir='$userdir'"; + $escUserlang = htmlspecialchars( $userlang ); + $escUserdir = htmlspecialchars( $userdir ); + // Attributes must be in double quotes because htmlspecialchars() doesn't + // escape single quotes + $attrs = " lang=\"$escUserlang\" dir=\"$escUserdir\""; $tpl->set( 'userlangattributes', $attrs ); } diff --git a/languages/Language.php b/languages/Language.php index e6feb45edf..5035f8b74b 100644 --- a/languages/Language.php +++ b/languages/Language.php @@ -3649,6 +3649,9 @@ class Language { /** * Get the RFC 3066 code for this language object * + * NOTE: The return value of this function is NOT HTML-safe and must be escaped with + * htmlspecialchars() or similar + * * @return string */ public function getCode() { @@ -3658,6 +3661,10 @@ class Language { /** * Get the code in Bcp47 format which we can use * inside of html lang="" tags. + * + * NOTE: The return value of this function is NOT HTML-safe and must be escaped with + * htmlspecialchars() or similar. + * * @since 1.19 * @return string */ -- 2.20.1