r95387 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r95386‎ \| r95387 \| r95388 >
Date:	09:38, 24 August 2011
Author:	catrope
Status:	ok
Tags:
Comment:	Followup r95316, r95317 per CR: escape the URL before using it in HTML. It doesn't look like this was a viable XSS vector because FullRequestURL comes with strange characters urlencoded (at least on Apache) but it sure looked scary
Modified paths:	/trunk/extensions/MobileFrontend/MobileFrontend.php (modified) (history)

Diff [purge]

Index: trunk/extensions/MobileFrontend/MobileFrontend.php
—	—	@@ -156,7 +156,7 @@
157	157	self::$enableImagesURL = $wgRequest->escapeAppendQuery( 'enableImages=1' );
158	158	self::$disableMobileSiteURL = $wgRequest->escapeAppendQuery( 'mobileaction=disable_mobile_site' );
159	159	self::$viewNormalSiteURL = $wgRequest->escapeAppendQuery( 'mobileaction=view_normal_site' );
160		~~- self::$currentURL = $wgRequest->getFullRequestURL();~~
	160	+ self::$currentURL = htmlspecialchars( $wgRequest->getFullRequestURL() );
161	161
162	162	$skin = $wgUser->getSkin();
163	163	$copyright = $skin->getCopyright();

Follow-up revisions

Revision	Commit summary	Author	Date
r95388	1.17wmf1: MFT r95387	catrope	09:39, 24 August 2011

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r95316	fix for bug 29016 - disabling mobile view throws us to start page	preilly	18:07, 23 August 2011
r95317	mft r95316	preilly	18:08, 23 August 2011

Status & tagging log

20:42, 24 August 2011 😂 (talk | contribs) changed the status of r95387 [removed: new added: ok]