Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: XSS when $wgPiwikTrackUsernames is true
With a specially-crafted username like 0'+(window.alert('You have been hacked'))+'0
the user receives the alert "You have been hacked". This commit escapes the
username.
  • Loading branch information
Seb35 committed Nov 15, 2017
1 parent ceadbc6 commit 681324e
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions Piwik.hooks.php
Expand Up @@ -82,8 +82,8 @@ public static function AddPiwik ($title) {
// name for anonymous visitors is their IP address which Piwik already
// records.
if ($wgPiwikTrackUsernames && $wgUser->isLoggedIn()) {
$username = $wgUser->getName();
$customJs .= PHP_EOL . " _paq.push(['setUserId','{$username}']);";
$username = Xml::encodeJsVar( $wgUser->getName() );
$customJs .= PHP_EOL . " _paq.push([\"setUserId\",{$username}]);";
}

// Check if server uses https
Expand Down

0 comments on commit 681324e

Please sign in to comment.