SECURITY: Do not allow user scripts on Special:PasswordReset

[lhc/web/wiklou.git] / includes / specials / SpecialPasswordReset.php

diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php
index 2ef96ad..63490e4 100644 (file)
--- a/includes/specials/SpecialPasswordReset.php
+++ b/includes/specials/SpecialPasswordReset.php
@@ -21,7 +21,6 @@
  * @ingroup SpecialPage
  */
 
-use MediaWiki\Auth\AuthManager;
 use MediaWiki\MediaWikiServices;
 
 /**
@@ -53,11 +52,7 @@ class SpecialPasswordReset extends FormSpecialPage {
 
        private function getPasswordReset() {
                if ( $this->passwordReset === null ) {
-                       $this->passwordReset = new PasswordReset(
-                               $this->getConfig(),
-                               AuthManager::singleton(),
-                               MediaWikiServices::getInstance()->getPermissionManager()
-                       );
+                       $this->passwordReset = MediaWikiServices::getInstance()->getPasswordReset();
                }
                return $this->passwordReset;
        }
@@ -79,6 +74,15 @@ class SpecialPasswordReset extends FormSpecialPage {
                parent::checkExecutePermissions( $user );
        }
 
+       /**
+        * @param string $par
+        */
+       public function execute( $par ) {
+               $out = $this->getOutput();
+               $out->disallowUserJs();
+               parent::execute( $par );
+       }
+
        protected function getFormFields() {
                $resetRoutes = $this->getConfig()->get( 'PasswordResetRoutes' );
                $a = [];