Steps to reproduce:
- Register a new account with the username " onclick="alert(document.domain)
- Upload a new file
- Visit Special:GlobalNewFiles (with a privileged account, if you want)
- Click on the username
Results:
- Clicking on the URL should lead into the user's CentralAuth page instead of executing JavaScript specified in the username
Recommended fix:
- Use MediaWiki's own helpers (Html, LinkRenderer, ...) instead of hand-crafting urls, apply htmlspecialchars() where necessary
- Quick example:
case 'files_user': - $formatted = "<a href=\"/wiki/Special:CentralAuth/{$row->files_user}\">{$row->files_user}</a>"; + $formatted = MediaWikiServices::getInstance()->getLinkRenderer()->makeLink( + SpecialPage::getTitleFor( 'CentralAuth', $row->files_user ), + $row->files_user + ); break;
- Use static analysis tools such as Phan to find some (although not this one) security issues