From: Timo Tijhof <krinklemail@gmail.com>
Date: Mon, 20 Aug 2018 00:14:46 +0000 (+0100)
Subject: resourceloader: Refuse to preview content with </script>
X-Git-Tag: 1.34.0-rc.0~4253^2
X-Git-Url: http://git.cyclocoop.org/%7B%7B%20url_for%28%27admin_vote_add%27%29%20%7D%7D?a=commitdiff_plain;h=2ec27eb0382d811b8dc2a9044ef802031e44db97;p=lhc%2Fweb%2Fwiklou.git

resourceloader: Refuse to preview content with </script>

Bug: T200506
Change-Id: I4ab5fbb0f5413aad24360169ba635672ce8d9c8e
---

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 3675e8a4ee..4f12e0cfd0 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2754,6 +2754,18 @@ class OutputPage extends ContextSource {
 					foreach ( $this->contentOverrideCallbacks as $callback ) {
 						$content = $callback( $title );
 						if ( $content !== null ) {
+							$text = ContentHandler::getContentText( $content );
+							if ( strpos( $text, '</script>' ) !== false ) {
+								// Proactively replace this so that we can display a message
+								// to the user, instead of letting it go to Html::inlineScript(),
+								// where it would be considered a server-side issue.
+								$titleFormatted = $title->getPrefixedText();
+								$content = new JavaScriptContent(
+									Xml::encodeJsCall( 'mw.log.error', [
+										"Cannot preview $titleFormatted due to script-closing tag."
+									] )
+								);
+							}
 							return $content;
 						}
 					}