Summary
Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The result of $this->lang->userDate( $timestamp, $this->user ) returns unescaped values, but is inserted as raw HTML by Citizen:
|
$html = sprintf( |
|
'<time class="citizen-user-regdate" datetime="%s">%s</time>', |
|
wfTimestamp( TS_ISO_8601, $timestamp ), |
|
// Since this is not accessible by anon, we can use user language |
|
$this->lang->userDate( $timestamp, $this->user ) |
|
); |
PoC
- Go to any page using citizen with the uselang parameter set to x-xss and while being logged in
Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's november:

Impact
This impacts wikis where a group has the editinterface but not the editsitejs user right.
Summary
Various date messages returned by
Language::userDateare inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.Details
The result of
$this->lang->userDate( $timestamp, $this->user )returns unescaped values, but is inserted as raw HTML by Citizen:mediawiki-skins-Citizen/includes/Components/CitizenComponentUserInfo.php
Lines 55 to 60 in 072e436
PoC
Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's
november:Impact
This impacts wikis where a group has the
editinterfacebut not theeditsitejsuser right.