StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
Summary
With $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection.Details
The sprintf here adds the iframe config encoded as JSON here. When given a malicious url or id with a single quote, the$this->getUrl() call returns an unescaped payload that terminates the data-mw-iframeconfig attribute and allows for injecting attributes, including handlers, into the figure element. The id regex for the archiveorg service and the url regexes for the wistia and sharepoint services allow for single quotes to be introduced.PoC
A couple of examples across servicesInput:Renders:
...
Input:
{{#ev:wistia|https://wistia.com/medias/x'onmouseover='alert(document.domain)'}}Renders:
...
{{#ev:sharepoint|https://a.sharepoint.com/sites/x'onmouseover='alert(document.domain)'.aspx}}