GSoC/GCI Archive
Google Code-in 2014 Wikimedia Foundation

MediaWiki security: add missing message escaping (02)

completed by: Scimonster

mentors: Nemo_bis

Escaping HTML is the first rule for improving security against cross-site scripting attacks, which have been the most common cybersecurity threat for years, causing billions dollars of damage. In this task, you will improve the security of MediaWiki by reducing its attack surface!

MediaWiki provides the Html class and i18n built-in escaping to address the risk, but some areas of the code don't use them correctly (or at all). You will help fixing them.

Pick one special page listed in the issue tracker; clone the code and check all the usages of the message keys listed next to its name; fix them and submit your patch in gerrit. The header tells the name of the repository; examples are available of how your patches should look like.