r110678 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r110677‎ | r110678 | r110679 >
Date:19:29, 3 February 2012
Author:bawolff
Status:deferred
Tags:
Comment:
Fix the XSS vulnrability in the example extension. Also comment it more (Since its an example and all)
Modified paths:
  • /trunk/extensions/examples/Parser_hook.php (modified) (history)

Diff [purge]

Index: trunk/extensions/examples/Parser_hook.php
@@ -20,22 +20,39 @@
2121 'author' => 'Ævar Arnfjörð Bjarmason'
2222 );
2323
 24+/* Register the registration function */
2425 $wgHooks['ParserFirstCallInit'][] = 'wfParserHook';
2526
 27+/**
 28+ * The registration function.
 29+ */
2630 function wfParserHook( $parser ) {
2731 $parser->setHook( 'hook' , 'wfParserHookParse' );
 32+ // Always return true.
2833 return true;
2934 }
3035
3136 /**
32 - * @param string $in The input passed to <hook>
33 - * @param array $argv The attributes of the <hook> element in array form
 37+ * @param String $data The input passed to <hook>
 38+ * @param Array $params The attributes of the <hook> element in array form
 39+ * @param Parser $parser Not used in this extension, but can be used to
 40+ * turn wikitext into html or do some other "advanced" stuff
 41+ * @param PPFrame $frame Not used in this extension, but can be used
 42+ * to see what template arguments ({{{1}}}) this hook was used with.
 43+ *
 44+ * @return String HTML to put in page at spot where <hook> tag is.
3445 */
35 -function wfParserHookParse( $data, $params, $parser ) {
 46+function wfParserHookParse( $data, $params, $parser, $frame ) {
 47+ // Very important to escape user data to prevent an XSS
 48+ // security vulnerability.
 49+ // print_r just turns an array into something readable.
 50+ $paramsEscaped = htmlspecialchars( print_r( $params, true ) );
 51+ $dataEscaped = htmlspecialchars( $data );
 52+
3653 if ( !count( $params ) ) {
37 - return $data;
 54+ return $dataEscaped;
3855 } else {
39 - return '<pre>' . $data . "\n" . print_r( $params, true ) . '</pre>';
 56+ return '<pre>' . $dataEscaped . "\n" . $paramsEscaped . '</pre>';
4057 }
4158 }
4259

Status & tagging log