setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.5 alpha 2 ==
+
+June 3, 2005
+
+MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges,
+and a security update.
+
+Incorrect handling of page template inclusions made it possible to
+inject JavaScript code into HTML attributes, which could lead to
+cross-site scripting attacks on a publicly editable wiki.
+
+Vulnerable releases and fix:
+* 1.5 prerelease: fixed in 1.5alpha2
+* 1.4 stable series: fixed in 1.4.5
+* 1.3 legacy series: fixed in 1.3.13
+* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
+
+
== MediaWiki 1.5 alpha 1 ==
May 3, 2005
* (bug 684) Accept an attribute parameter array on parser hook tags
* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
LDAP authentication plugin
+* (bug 2034) Armor HTML attributes against template inclusion and links munging
=== Caveats ===
}
/** MediaWiki version number */
-$wgVersion = '1.5alpha1';
+$wgVersion = '1.5alpha2';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
continue;
}
+ # Templates and links may be expanded in later parsing,
+ # creating invalid or dangerous output. Suppress this.
+ $value = strtr( $value, array(
+ '{' => '{',
+ '[' => '[',
+ "''" => '''',
+ 'ISBN' => 'ISBN',
+ 'RFC' => 'RFC',
+ 'PMID' => 'PMID',
+ ) );
+ $value = preg_replace(
+ '/(' . URL_PROTOCOLS . '):/',
+ '\\1:', $value );
+
if( !isset( $attribs[$attribute] ) ) {
$attribs[$attribute] = "$attribute=\"$value\"";
}
</p>
!! end
+
+###
+### Safety
+###
+
+!! test
+Bug 2304: HTML attribute safety (template)
+!! input
+<div title="{{test}}"></div>
+!! result
+<div title="{{test}}"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (link)
+!! input
+<div title="[[Main Page]]"></div>
+!! result
+<div title="[[Main Page]]"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (italics)
+!! input
+<div title="''foobar''"></div>
+!! result
+<div title="''foobar''"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (bold)
+!! input
+<div title="'''foobar'''"></div>
+!! result
+<div title="'''foobar'''"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (ISBN)
+!! input
+<div title="ISBN 1234567890"></div>
+!! result
+<div title="ISBN 1234567890"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (RFC)
+!! input
+<div title="RFC 1234"></div>
+!! result
+<div title="RFC 1234"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (PMID)
+!! input
+<div title="PMID 1234567890"></div>
+!! result
+<div title="PMID 1234567890"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (web link)
+!! input
+<div title="http://example.com/"></div>
+!! result
+<div title="http://example.com/"></div>
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (named web link)
+!! input
+<div title="[http://example.com/ link]"></div>
+!! result
+<div title="[http://example.com/ link]"></div>
+
+!! end
+
+
TODO:
more images
more tables