Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Escape username in invalid username error
POST request with invalid usernames to SpecialScratchOAuth2 page in 
ScratchOAuth2 may lead to reflected cross-site scripting.
  • Loading branch information
apple502j committed Apr 12, 2021
1 parent d856dc7 commit 1603f04
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion includes/special/SpecialScratchOAuth2.php
Expand Up @@ -69,7 +69,7 @@ public function specialLogin( $error = null ) {
$username = $request->getVal( 'username', '', );
if (!preg_match(SOA2_USERNAME_REGEX, $username)) {
$this->specialLogin(
wfMessage('soa2-invalid-username', $username)->plain()
wfMessage('soa2-invalid-username')->plaintextParams($username)->parse()
);
return;
}
Expand Down

0 comments on commit 1603f04

Please sign in to comment.