r81050 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r81049‎ \| r81050 \| r81051 >
Date:	20:29, 26 January 2011
Author:	foxtrott
Status:	deferred
Tags:
Comment:	fixed bug and security issue * script execution crashed when another framework beside jQuery used $ * parser function allowed injection of arbitrary script code
Modified paths:	/trunk/extensions/HeaderTabs/HeaderTabs_body.jq.php (modified) (history) /trunk/extensions/HeaderTabs/HeaderTabs_body.yui.php (modified) (history)

Diff [purge]

Index: trunk/extensions/HeaderTabs/HeaderTabs_body.yui.php
—	—	@@ -129,14 +129,15 @@
130	130	function renderSwitchTabLink( &$parser, $tabName, $linkText, $anotherTarget = '' ) {
131	131	$tabTitle = Title::newFromText( $tabName );
132	132	$tabKey = $tabTitle->getDBkey();
	133	+ $sanitizedLinkText = $parser->recursiveTagParse( $linkText );
133	134
134	135	if ( $anotherTarget != '' ) {
135	136	$targetTitle = Title::newFromText( $anotherTarget );
136	137	$targetURL = $targetTitle->getFullURL();
137	138
138		~~- $output = '<a href="' . $targetURL . '#tab=' . $tabKey . '">' . $linkText . '</a>';~~
	139	+ $output = '<a href="' . $targetURL . '#tab=' . $tabKey . '">' . $sanitizedLinkText . '</a>';
139	140	} else {
140		~~- $output = '<a href="#tab=' . $tabKey . '" onclick="return HeaderTabs.switchTab(\'' . $tabKey . '\')">' . $linkText . '</a>';~~
	141	+ $output = '<a href="#tab=' . $tabKey . '" onclick="return HeaderTabs.switchTab(\'' . $tabKey . '\')">' . $sanitizedLinkText . '</a>';
141	142	}
142	143
143	144	return $parser->insertStripItem( $output, $parser->mStripState );
Index: trunk/extensions/HeaderTabs/HeaderTabs_body.jq.php
—	—	@@ -93,20 +93,23 @@
94	94	$wgOut->addModules( 'jquery.ui.tabs' );
95	95	$js_text =<<<END
96	96	<script type="text/javascript">
97		~~-$(function() {~~
	97	+jQuery(function($) {
	98	+
98	99	$("#headertabs").tabs();
99	100	var curHash = window.location.hash;
100	101	if ( curHash.indexOf( "#tab=" ) == 0 ) {
101	102	var tabName = curHash.replace( "#tab=", "" );
102	103	$("#headertabs").tabs('select', tabName);
103	104	}
	105	+
	106	+ $(".tabLink").click( function() {
	107	+ var href = $(this).attr('href');
	108	+ var tabName = href.replace( "#tab=", "" );
	109	+ $("#headertabs").tabs('select', tabName);
	110	+ return false; //$htUseHistory;
	111	+ } );
	112	+
104	113	});
105		~~-$(".tabLink").click( function() {~~
106		~~- var href = $(this).attr('href');~~
107		~~- var tabName = href.replace( "#tab=", "" );~~
108		~~- $("#headertabs").tabs('select', tabName);~~
109		~~- return false; //$htUseHistory;~~
110		~~-} );~~
111	114	</script>
112	115
113	116	END;
—	—	@@ -118,15 +121,16 @@
119	122	function renderSwitchTabLink( &$parser, $tabName, $linkText, $anotherTarget = '' ) {
120	123	$tabTitle = Title::newFromText( $tabName );
121	124	$tabKey = $tabTitle->getDBkey();
	125	+ $sanitizedLinkText = $parser->recursiveTagParse( $linkText );
122	126
123	127	if ( $anotherTarget != '' ) {
124	128	$targetTitle = Title::newFromText( $anotherTarget );
125	129	$targetURL = $targetTitle->getFullURL();
126	130
127		~~- $output = '<a href="' . $targetURL . '#tab=' . $tabKey . '">' . $linkText . '</a>';~~
	131	+ $output = '<a href="' . $targetURL . '#tab=' . $tabKey . '">' . $sanitizedLinkText . '</a>';
128	132	} else {
129	133	$output =<<<END
130		~~-<a href="#tab=$tabKey" class="tabLink">$linkText</a>~~
	134	+<a href="#tab=$tabKey" class="tabLink">$sanitizedLinkText</a>
131	135	END;
132	136	}
133	137

Status & tagging log

13:07, 2 February 2011 Reedy (talk | contribs) changed the status of r81050 [removed: new added: deferred]