diff options
| author | Tim Starling <tstarling@wikimedia.org> | 2022-07-21 13:35:01 +1000 |
|---|---|---|
| committer | Tim Starling <tstarling@wikimedia.org> | 2022-07-22 11:44:49 +1000 |
| commit | 51ddd7068292d0b2e42cddc6374d24910dc6b343 (patch) | |
| tree | ec050412358811a07d95b788fa3fcbc026285d20 /includes/api/ApiFormatJson.php | |
| parent | 6d840fa896f37bfd25bfb6167e869faacee9c015 (diff) | |
| download | mediawikicore-51ddd7068292d0b2e42cddc6374d24910dc6b343.tar.gz mediawikicore-51ddd7068292d0b2e42cddc6374d24910dc6b343.zip | |
Remove Flash cross-domain policy mangling
Remove Flash cross-domain policy mangling. Users who are somehow still
using Flash as a browser extension will be exposed to CSRF
vulnerabilities.
Deprecate the config since deprecation has some advantages in the new
config system over simple removal.
Bug: T279496
Change-Id: I2c0e85a430d7e6aaf8d5decd00cf1dade04cebe1
Diffstat (limited to 'includes/api/ApiFormatJson.php')
| -rw-r--r-- | includes/api/ApiFormatJson.php | 9 |
1 files changed, 0 insertions, 9 deletions
diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php index 7e4da5a5a7d7..3c2672c58174 100644 --- a/includes/api/ApiFormatJson.php +++ b/includes/api/ApiFormatJson.php @@ -98,15 +98,6 @@ class ApiFormatJson extends ApiFormatBase { // @codeCoverageIgnoreEnd } - // T68776: OutputHandler::mangleFlashPolicy() avoids a nasty bug in - // Flash, but what it does isn't friendly for the API, so we need to - // work around it. - if ( preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $json ) ) { - $json = preg_replace( - '/\<(\s*cross-domain-policy(?=\s|\>))/i', '\\u003C$1', $json - ); - } - if ( isset( $params['callback'] ) ) { $callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $params['callback'] ); # Prepend a comment to try to avoid attacks against content |