From: Nick Jenkins <nickj@users.mediawiki.org>
Date: Tue, 9 Jan 2007 06:36:39 +0000 (+0000)
Subject: Prevent XSS / arbitrary HTML injection via unescaped "rs" parameter. Proof-of-Concept... 
X-Git-Tag: 1.31.0-rc.0~54555
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/ajouter.php?a=commitdiff_plain;h=f22fcfb835e4c0876e4d6debfef04d94178cf01f;p=lhc%2Fweb%2Fwiklou.git

Prevent XSS / arbitrary HTML injection via unescaped "rs" parameter. Proof-of-Concept attack: localhost/wiki/index.php?action=ajax&rs=%3Cscript%3Ealert(%22Ownage%20-%20All%20your%20base%20are%20belong%20to%20me!%22);%3C/script%3E , which will result in this executable JavaScript output: "unknown function <script>alert("Ownage - All your base are belong to me!");</script>"
---

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index d19035e547..a64f56d9e4 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -55,7 +55,7 @@ class AjaxDispatcher {
 
 		if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
 			header( 'Status: 400 Bad Request', true, 400 );
-			echo "unknown function {$this->func_name}";
+			print "unknown function " . htmlspecialchars( $this->func_name );
 		} else {
 			try {
 				$result = call_user_func_array($this->func_name, $this->args);