r49072 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r49071‎ \| r49072 \| r49073 >
Date:	14:02, 31 March 2009
Author:	jojo
Status:	reverted (Comments)
Tags:
Comment:	fixes
Modified paths:	/trunk/extensions/Collection/collection/popup.js (modified) (history)

Diff [purge]

Index: trunk/extensions/Collection/collection/popup.js
—	—	@@ -6,7 +6,7 @@
7	7	document.write('<script type="text/javascript" src="' + wgCollectionNavPopupJSURL + '"></script>');
8	8	importStylesheetURI(wgCollectionNavPopupCSSURL);
9	9
10		~~-var createBookMode = true;~~
	10	+var createBookMode = false;
11	11	var collectionArticleList = [];
12	12	var collectionPopup;
13	13
—	—	@@ -43,6 +43,7 @@
44	44	if (ns != 0) {
45	45	stripped_title = pg.current.article.stripNamespace();
46	46	}
	47	+ stripped_title = stripped_title.replace(/'/, "\\'");
47	48	var popupContent = '<a onclick="';
48	49	if (isInCollection(title)) {
49	50	popupContent += 'popupCollectionCall(\'RemoveArticle\', [' + ns + ', \'' + stripped_title + '\', 0]); return false;';

Revision	Commit summary	Author	Date
r59946	Removed the popup feature. It's bloated (with a huge amount of unnecessary an...	tstarling	06:28, 11 December 2009

#Comment by Brion VIBBER (talk | contribs) 20:34, 4 May 2009

Seems to be an attempt to add some escaping for the JS generated in r49069, but this isn't sufficient.

#Comment by Tim Starling (talk | contribs) 06:11, 11 December 2009

This is an exploitable XSS vulnerability, live on Wikipedia for 8 months. I don't know why we put up with it.

06:29, 11 December 2009 Tim Starling (talk | contribs) changed the status of r49072 [removed: fixme added: reverted]
20:34, 4 May 2009 Brion VIBBER (talk | contribs) changed the status of r49072 [removed: new added: fixme]