captcha-label and fancycaptcha-captcha can be used to include raw HTML on pages that display a captcha box.
Description
Description
Details
Details
- Risk Rating
- Low
- Author Affiliation
- WMF Technology Dept
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T345245 Mitigate phase-out of third-party cookies in Wikimedia production | |||
| Resolved | Tgr | T345249 Mitigate phase-out of third-party cookies in CentralAuth | |||
| Open | None | T348388 SUL3: Use a dedicated domain for login and account creation | |||
| Resolved | Tgr | T363695 Create a Wikimedia login domain that can be served by any wiki | |||
| Resolved | sbassett | T367995 Security Preview for shared login domain | |||
| Resolved | Tgr | T373732 Audit SUL3 shared-domain i18n messages for XSS | |||
| Resolved | Reedy | T376550 Formally EOL MW 1.41 | |||
| Restricted Task | |||||
| Restricted Task | |||||
| Resolved | Security | Tgr | T379677 FancyCaptcha uses unescaped i18n messages |
Event Timeline
Comment Actions
Let me know if you'd prefer using Gerrit, not sure how seriously this kind of problem should be taken.
Let me know if you'd prefer using Gerrit, not sure how seriously this kind of problem should be taken.
Comment Actions
CR+1
Let me know if you'd prefer using Gerrit, not sure how seriously this kind of problem should be taken.
ConfirmEdit is bundled, but these message sanitization issues should mostly be low-risk, so it should be fine to push through gerrit.
Comment Actions
Yes, I believe this is resolved. Since we deemed this low-risk and the patches were public, it's fine to make this task public. I just added the tracking parent task so @Reedy could have the option of mentioning it in the next core security release and to potentially backport the patch, if desired.