Prevent XSS / arbitrary HTML injection via unescaped "rs" parameter. Proof-of-Concept...

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index d19035e..a64f56d 100644 (file)
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -55,7 +55,7 @@ class AjaxDispatcher {
 
                if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
                        header( 'Status: 400 Bad Request', true, 400 );
-                       echo "unknown function {$this->func_name}";
+                       print "unknown function " . htmlspecialchars( $this->func_name );
                } else {
                        try {
                                $result = call_user_func_array($this->func_name, $this->args);