Merge "SECURITY: Don't execute another user's CSS or JS on preview"

[lhc/web/wiklou.git] / includes / OutputPage.php

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 1a4f5b7..cac89f4 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3288,6 +3288,10 @@ class OutputPage extends ContextSource {
                if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
                        return false;
                }
+               if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+                       // Don't execute another user's CSS or JS on preview (T85855)
+                       return false;
+               }
 
                return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
        }