+ "details": "Various system messages are inserted by the Citizen skin in multiple places without proper sanitization.\n\n## 1 - Command Palette Tips\n\n### Summary\nMultiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.\n\n### Details\nThe messages are retrieved using the `plain()` output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66\n`currentTip` is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69\n`currentTip` is inserted as raw HTML (`vue/no-v-html` should *not* be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4\n\n### PoC\n1. Edit `citizen-command-palette-tip-commands`, `citizen-command-palette-tip-users`, `citizen-command-palette-tip-namespace` and `citizen-command-palette-tip-templates` to `<img src=\"\" onerror=\"alert(1)\">` (script tags don't work here due to the way the HTML is inserted)\n2. Open the command palette\n\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.\n\n## 2 - Menu Headings\n\n### Summary\nAll system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.\n\n### Details\nThe system messages for menu headings are inserted unescaped into raw HTML:\nhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10\n\n### PoC\n1. Go to any article using citizen with the `uselang` parameter set to `x-xss`\n2. A large number of alerts will be shown for various messages, e.g.:\n\n\n\nOn the main page of my test wiki, the following messages were shown: `navigation`, `notifications`, `user-interface-preferences`, `personaltools`, `variants`, `views`, `associated-pages`, `cactions` and `toolbox`.\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.\n\n\n## 3 - User registration date\n\n### Summary\nVarious date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.\n\n### Details\nThe result of `$this->lang->userDate( $timestamp, $this->user )` returns unescaped values, but is inserted as raw HTML by Citizen:\nhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60\n\n### PoC\n1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in\nDepending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's `november`:\n\n\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.\n\n\n## 4 - Preferences menu headings\n\n### Summary\nVarious preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.\n\n### Details\nThe `innerHtml` of the label div is set to the `textContent` of the label, essentially unsanitizing the system messages:\nhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.preferences/addPortlet.polyfill.js#L18\n\n\n### PoC\n1. Edit `citizen-feature-custom-font-size-name` (or any other message displayed in a heading in the preferences menu) to `<img src=\"\" onerror=\"alert('citizen-feature-custom-font-size-name')\">` (script tags don't work here due to the way the HTML is inserted)\n2. Open the preferences menu\n\n\n\n\n## 5 - No results messages\n\n### Summary\nThe `citizen-search-noresults-title` and `citizen-search-noresults-desc` system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.\n\n### Details\nThe system messages are inserted as raw HTML by the mustache template:\nhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9\n\n\n### PoC\n1. Edit `citizen-search-noresults-title` and `citizen-search-noresults-desc` to `<img src=\"\" onerror=\"alert('citizen-search-noresults-title')\">` and `<img src=\"\" onerror=\"alert('citizen-search-noresults-desc')\">` (script tags don't work here due to the way the HTML is inserted)\n2. Open the search bar and search for a page that doesn't exist to get the \"no results\" messages to show up\n\n\n\n\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments