[MediaWiki-l] Security patch for TextExtracts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Security patch for TextExtracts

Jon Robson-2
I've just swatted a change to production and merged a patch into the
current master of TextExtracts which updates the extension to strip any
script tags and input tags that may result from parser output.

The problem is theoretical and I'm not aware of any existing vectors for
attack but I recommend anyone using  the TextExtracts extension in
production either update to the current master or update
$wgExtractsRemoveClasses global config to include script and input tags.

The issue is tracked in https://phabricator.wikimedia.org/T107206 (currently
hidden but I've requested it be made public)
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l