Anon users have predictable edit tokens, hence someone could
force an anon to execute arbitrary CSS by means of a CSRF.
Bug: T133147
Change-Id: I442b2b46cadb967aaa1f35648eff183fc7eaa475
private function isUserJsPreview() {
return $this->getConfig()->get( 'AllowUserJs' )
- && $this->getUser()->isLoggedIn()
&& $this->getTitle()
&& $this->getTitle()->isJsSubpage()
&& $this->userCanPreview();
}
$user = $this->getUser();
+
+ if ( !$this->getUser()->isLoggedIn() ) {
+ // Anons have predictable edit tokens
+ return false;
+ }
if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
return false;
}