From: Bartosz Dziewoński <matma.rex@gmail.com>
Date: Mon, 2 Mar 2020 16:08:15 +0000 (+0100)
Subject: SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors
X-Git-Tag: 1.34.1~2
X-Git-Url: http://git.cyclocoop.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=8305501119abee2722e3529e1ac2042c104e255d

SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

Bug: T246602
Change-Id: Iea64a258499ab597b9a8900418a42162fdb5f391
---

diff --git a/resources/src/jquery/jquery.makeCollapsible.js b/resources/src/jquery/jquery.makeCollapsible.js
index de307a69d9..32a5d3de72 100644
--- a/resources/src/jquery/jquery.makeCollapsible.js
+++ b/resources/src/jquery/jquery.makeCollapsible.js
@@ -243,6 +243,7 @@
 			} else {
 				collapsibleId = $collapsible.attr( 'id' ) || '';
 				if ( collapsibleId.indexOf( 'mw-customcollapsible-' ) === 0 ) {
+					collapsibleId = $.escapeSelector( collapsibleId );
 					$customTogglers = $( '.' + collapsibleId.replace( 'mw-customcollapsible', 'mw-customtoggle' ) )
 						.addClass( 'mw-customtoggle' );
 				}