Escape wikitext in model= and format= url parameter to
edit page. This goes along with
1c788944 to help prevent
XSS for wikis with $wgRawHtml = true; set.
Bug: T156184
Change-Id: Ifcaa2ccf05a2a691d0b150e2f7e0e765db25fc7f
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
throw new ErrorPageError(
'editpage-invalidcontentmodel-title',
'editpage-invalidcontentmodel-text',
throw new ErrorPageError(
'editpage-invalidcontentmodel-title',
'editpage-invalidcontentmodel-text',
- [ $this->contentModel ]
+ [ wfEscapeWikiText( $this->contentModel ) ]
throw new ErrorPageError(
'editpage-notsupportedcontentformat-title',
'editpage-notsupportedcontentformat-text',
throw new ErrorPageError(
'editpage-notsupportedcontentformat-title',
'editpage-notsupportedcontentformat-text',
- [ $this->contentFormat, ContentHandler::getLocalizedName( $this->contentModel ) ]
+ [
+ wfEscapeWikiText( $this->contentFormat ),
+ wfEscapeWikiText( ContentHandler::getLocalizedName( $this->contentModel ) )
+ ]