Generate the URL used for loading a new page in Javascript,
instead of relying on the URL in the link that has been clicked
(as that could have been crafted by an attacker).
Bug: 66608
Change-Id: I19e2bf3af017a37c35cbadce9a70194aac693f33
if ( $page > 1 ) {
$label = $out->parse( wfMessage( 'imgmultipageprev' )->text(), false );
+ // on the client side, this link is generated in ajaxifyPageNavigation()
+ // in the mediawiki.page.image.pagination module
$link = Linker::linkKnown(
$this->getTitle(),
$label,
),
'mediawiki.page.image.pagination' => array(
'scripts' => 'resources/src/mediawiki.page/mediawiki.page.image.pagination.js',
- 'dependencies' => array( 'jquery.spinner' )
+ 'dependencies' => array(
+ 'mediawiki.Uri',
+ 'mediawiki.util',
+ 'jquery.spinner',
+ ),
),
/* MediaWiki Special pages */
function bindPageNavigation( $container ) {
$container.find( '.multipageimagenavbox' ).one( 'click', 'a', function ( e ) {
- loadPage( this.href );
+ var page, uri;
+
+ // Generate the same URL on client side as the one generated in ImagePage::openShowImage.
+ // We avoid using the URL in the link directly since it could have been manipulated (bug 66608)
+ page = Number( mw.util.getParamValue( 'page', this.href ) );
+ uri = new mw.Uri( mw.util.wikiScript() )
+ .extend( { title: mw.config.get( 'wgPageName' ), page: page } )
+ .toString();
+
+ loadPage( uri );
e.preventDefault();
} );