From d4385537bcd8284936cbcafcc84718dcc9b52181 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 26 Sep 2016 10:40:30 +0000
Subject: [PATCH] SECURITY: XSS in search if $wgAdvancedSearchHighlighting =
 true;

In the non-default configuration where $wgAdvancedSearchHighlighting
is set to true, there is an XSS vulnerability as HTML tags are
not properly escaped if the tag spans multiple search results

Issue introduced in abf726ea0 (MediaWiki 1.13 and above).

Bug: T144845
Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3
---
 RELEASE-NOTES-1.29                    | 2 ++
 includes/search/SearchHighlighter.php | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 11f961e3e8..a2dbcd5838 100644
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -88,6 +88,8 @@ production.
 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
   to interwiki links.
+* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
+  $wgAdvancedSearchHighlighting is true.
 
 === Action API changes in 1.29 ===
 * Submitting sensitive authentication request parameters to action=login,
diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php
index d0e3a240d6..cebdb40dbb 100644
--- a/includes/search/SearchHighlighter.php
+++ b/includes/search/SearchHighlighter.php
@@ -29,6 +29,10 @@
 class SearchHighlighter {
 	protected $mCleanWikitext = true;
 
+	/**
+	 * @warning If you pass false to this constructor, then
+	 *  the caller is responsible for HTML escaping.
+	 */
 	function __construct( $cleanupWikitext = true ) {
 		$this->mCleanWikitext = $cleanupWikitext;
 	}
@@ -456,6 +460,10 @@ class SearchHighlighter {
 		$text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text );
 		$text = preg_replace( "/''/", "", $text );
 
+		// Note, the previous /<\/?[^>]+>/ is insufficient
+		// for XSS safety as the HTML tag can span multiple
+		// search results (T144845).
+		$text = Sanitizer::escapeHtmlAllowEntities( $text );
 		return $text;
 	}
 
-- 
2.20.1