Page MenuHomeMiraheze

Verify if PageDisqus has reflective XSS
Closed, InvalidPublic

Description

When looking at the extension for T4235, I stumbled upon this: https://github.com/wikimedia/mediawiki-extensions-PageDisqus/blob/master/PageDisqus.class.php#L39

The URL is user controlled input, and to be honest I am not sure if getFullRequestURL properly escapes characters. Otherwise someone could give you the url 'https://meta.miraheze.org/wiki/Miraheze" + alert("XSS") + "' and that is valid JavaScript..

test1 is down and I have no MediaWiki test installation available to test this, but it's definitely worth doing a var_dump on $wgRequest->getFullRequestURL() when visiting the URL I gave above..

Event Timeline

Southparkfan created this object with visibility "Custom Policy".
John closed this task as Invalid.Jul 12 2019, 14:05
John added a subscriber: John.

No XSS.

John claimed this task.Jul 12 2019, 14:06
John triaged this task as Normal priority.
John changed the visibility from "Custom Policy" to "Public (No Login Required)".