Cross-site scripting attack possible through desc tag

[GreenReaper]

You can pass anything in as desc and it will be displayed as arbitrary HTML in the output. For example,

Something like $desc = $parser->recursiveTagParse($desc); in parserFunction_ev seems appropriate, but I advise a review with another experienced MediaWiki coder to ensure that this is the appropriate solution and that there are no other vulnerabilities.

I have placed a warning on http://www.mediawiki.org/wiki/Extension:EmbedVideo which should be removed once this is fixed.

[Whiteknight]

Thanks for the catch. I can't believe I overlooked this.

I'm not able to do any coding on it now. Care to submit a patch or pull request?

[Thanksforyourhelp]

Thanks GreenReaper for catching this. I use this extension on two mediawiki sites and know nothing about how to code a fix to it (i.e. escaping). Thanks to whomever works on a patch/ fix for this, I'll be eagerly waiting.

[GreenReaper]

Well, the simplest thing might be to insert the line mentioned above, after the text "$id = trim($id);" in EmbedVideo.hooks.php. I don't really use GitHub much but here's a patch that should do it:

--- EmbedVideo.hooks.php.old  2011-05-05 08:04:18.000000000 +0200
+++ EmbedVideo.hooks.php   2011-05-03 17:26:54.000000000 +0200
@@ -84,6 +84,7 @@

         $service = trim($service);
         $id = trim($id);
+         $desc = $parser->recursiveTagParse($desc);

         $entry = EmbedVideo::getServiceEntry($service);
         if (!$entry)

If you copy the above into a file called EmbedVideo.hooks.php.patch, place it in the extension's directory, and run "patch < EmbedVideo.hooks.php.patch" (without the quotes), it should apply the patch. As a bonus, you can use wiki markup in the description.

[Thanksforyourhelp]

Wow, that was fast. Thanks!

[ibressler]

added a pull request for this https://github.com/Whiteknight/mediawiki-embedvideo/pull/21