"Wikinaut" posted a comment on MediaWiki.r111263.
URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/111263#c30792
Commit summary for MediaWiki.r111263:
initial import of new extension EtherpadLite
Wikinaut's comment:
Thanks for your deep analysism, which I appreciate very much.
As you might have noticed, I already use Sanitizer::cleanUrl and
Html:rawElement methods as mentioned in the Security Guides.
Regarding the pad-id, and the query string parameters - which are then forming
part of the url - I now think of sanitizing the whole "src" parameter like in
this example
"src" => Sanitzer::cleanUrl("$epliteHostUrl/$padId" .
"?showControls=$showControls" .
"&showChat=$showChat" .
"&showLineNumbers=$showLineNumbers" .
"&useMonospaceFont=$useMonospaceFont" .
"&userName=$userName" .
"&noColors=$noColors"),
If this works, will it fulfill the mw requirements for a sane code ?
The Html:rawElement was mentioned as a good way to sanitize here
https://www.mediawiki.org/wiki/Security_checklist_for_developers#Output_.28API.2C_CSS.2C_JavaScript.2C_HTML.2C_XML.2C_etc..29
, so I thought, it is enough to use this method.
Pls. correct me, if I am wrong.
_______________________________________________
MediaWiki-CodeReview mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
