| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Cross-site scripting |
|
| Description |
| + |
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML. |
|
| References |
| + |
https://phabricator.wikimedia.org/T268894 |
| + |
https://github.com/wikimedia/mediawiki/commit/a8b1d863bccc6b326329d0593f8126c351c6e1be |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
The problematic message was added with 1.35 and is behind a feature flag ($wgWatchlistExpiry) which is not enabled by default. Disabling this feature flag mitigates the issue. |
|