From e94674443dab28de7f47cc83f2028a3e81ab2a25 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Thu, 14 Apr 2016 19:33:43 +0200
Subject: [PATCH] mw.ForeignApi: Percent-encode dots in the 'origin' parameter

Depending on server configuration, MediaWiki may forbid some periods in
URLs, due to an IE 6 XSS bug. If that is the case on the remote wiki,
ForeignApi would previously not be able to contact it.

Also tweaked similar code in mw.Api to make it more obvious what is
the purpose of it, and future-proof against any dots in tokens.

Bug: T132612
Change-Id: I6dc0b4ab18e5756fc7566608192d59d10729db99
---
 resources/src/mediawiki/ForeignApi.js | 4 +++-
 resources/src/mediawiki/api.js        | 9 +++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/resources/src/mediawiki/ForeignApi.js b/resources/src/mediawiki/ForeignApi.js
index b8cc059819..899daa57a4 100644
--- a/resources/src/mediawiki/ForeignApi.js
+++ b/resources/src/mediawiki/ForeignApi.js
@@ -94,7 +94,9 @@
 			url = ( ajaxOptions && ajaxOptions.url ) || this.defaults.ajax.url;
 			origin = ( parameters && parameters.origin ) || this.defaults.parameters.origin;
 			url += ( url.indexOf( '?' ) !== -1 ? '&' : '?' ) +
-				'origin=' + encodeURIComponent( origin );
+				// Depending on server configuration, MediaWiki may forbid periods in URLs, due to an IE 6
+				// XSS bug. So let's escape them here. See WebRequest::checkUrlExtension() and T30235.
+				'origin=' + encodeURIComponent( origin ).replace( /\./g, '%2E' );
 			newAjaxOptions = $.extend( {}, ajaxOptions, { url: url } );
 		} else {
 			newAjaxOptions = ajaxOptions;
diff --git a/resources/src/mediawiki/api.js b/resources/src/mediawiki/api.js
index 3bc0ad3813..ab24a00b57 100644
--- a/resources/src/mediawiki/api.js
+++ b/resources/src/mediawiki/api.js
@@ -212,16 +212,17 @@
 				// Prevent jQuery from overriding the Content-Type header
 				ajaxOptions.contentType = false;
 			} else {
-				// Some deployed MediaWiki >= 1.17 forbid periods in URLs, due to an IE XSS bug
-				// So let's escape them here. See bug #28235
 				// This works because jQuery accepts data as a query string or as an Object
-				ajaxOptions.data = $.param( parameters ).replace( /\./g, '%2E' );
-
+				ajaxOptions.data = $.param( parameters );
 				// If we extracted a token parameter, add it back in.
 				if ( token ) {
 					ajaxOptions.data += '&token=' + encodeURIComponent( token );
 				}
 
+				// Depending on server configuration, MediaWiki may forbid periods in URLs, due to an IE 6
+				// XSS bug. So let's escape them here. See WebRequest::checkUrlExtension() and T30235.
+				ajaxOptions.data = ajaxOptions.data.replace( /\./g, '%2E' );
+
 				if ( ajaxOptions.contentType === 'multipart/form-data' ) {
 					// We were asked to emulate but can't, so drop the Content-Type header, otherwise
 					// it'll be wrong and the server will fail to decode the POST body
-- 
2.20.1