Closed GreenReaper closed 13 years ago
Thanks for the catch. I can't believe I overlooked this.
I'm not able to do any coding on it now. Care to submit a patch or pull request?
Thanks GreenReaper for catching this. I use this extension on two mediawiki sites and know nothing about how to code a fix to it (i.e. escaping). Thanks to whomever works on a patch/ fix for this, I'll be eagerly waiting.
Well, the simplest thing might be to insert the line mentioned above, after the text "$id = trim($id);" in EmbedVideo.hooks.php. I don't really use GitHub much but here's a patch that should do it:
--- EmbedVideo.hooks.php.old 2011-05-05 08:04:18.000000000 +0200 +++ EmbedVideo.hooks.php 2011-05-03 17:26:54.000000000 +0200 @@ -84,6 +84,7 @@ $service = trim($service); $id = trim($id); + $desc = $parser->recursiveTagParse($desc); $entry = EmbedVideo::getServiceEntry($service); if (!$entry)
If you copy the above into a file called EmbedVideo.hooks.php.patch, place it in the extension's directory, and run "patch < EmbedVideo.hooks.php.patch" (without the quotes), it should apply the patch. As a bonus, you can use wiki markup in the description.
Wow, that was fast. Thanks!
added a pull request for this https://github.com/Whiteknight/mediawiki-embedvideo/pull/21
You can pass anything in as desc and it will be displayed as arbitrary HTML in the output. For example,
Something like $desc = $parser->recursiveTagParse($desc); in parserFunction_ev seems appropriate, but I advise a review with another experienced MediaWiki coder to ensure that this is the appropriate solution and that there are no other vulnerabilities.
I have placed a warning on http://www.mediawiki.org/wiki/Extension:EmbedVideo which should be removed once this is fixed.