From f22fcfb835e4c0876e4d6debfef04d94178cf01f Mon Sep 17 00:00:00 2001
From: Nick Jenkins <nickj@users.mediawiki.org>
Date: Tue, 9 Jan 2007 06:36:39 +0000
Subject: [PATCH] Prevent XSS / arbitrary HTML injection via unescaped "rs"
 parameter. Proof-of-Concept attack:
 http://localhost/wiki/index.php?action=ajax&rs=%3Cscript%3Ealert(%22Ownage%20-%20All%20your%20base%20are%20belong%20to%20me!%22);%3C/script%3E
 , which will result in this executable JavaScript output: "unknown function
 <script>alert("Ownage - All your base are belong to me!");</script>"

---
 includes/AjaxDispatcher.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index d19035e547..a64f56d9e4 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -55,7 +55,7 @@ class AjaxDispatcher {
 
 		if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
 			header( 'Status: 400 Bad Request', true, 400 );
-			echo "unknown function {$this->func_name}";
+			print "unknown function " . htmlspecialchars( $this->func_name );
 		} else {
 			try {
 				$result = call_user_func_array($this->func_name, $this->args);
-- 
2.20.1