Headline
CVE-2023-22910: XSS in Wikibase date formatting
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.
Impact: Users with the editinterface right (not limited to editsitejs) can cause Wikibase to emit arbitrary HTML in certain situations, including in APIs where callers might treat the result as trusted HTML and use it in their own sites. On Wikidata, the editinterface right is granted not only to interface administrators (who also have editsitejs, so they can already run arbitrary JS on Wikidata, though they still shouldn’t be able to break API users in this way), but also to regular administrators as well as Wikidata staff.
Description: Wikibase formats time values for HTML using two classes, MwTimeIsoFormatter and HtmlTimeFormatter. MwTimeIsoFormatter is responsible for formatting the timestamp depending on the precision of the time value, using various interface messages; HtmlTimeFormatter wraps it to add the calendar model, if necessary. An example result looks like this:
14 March 1879<sup class="wb-calendar-name">Gregorian</sup> |MwTimeIsoF…||…HtmlTimeFormatter…|
HtmlTimeFormatter assumes that its inner formatter (which can actually be any formatter, as far as it’s concerned) emits HTML:
/** * @param FormatterOptions|null $options * @param ValueFormatter $dateTimeFormatter A value formatter that accepts TimeValue objects and * returns the formatted date and time, but not the calendar model. Must return HTML. */ public function __construct(
HtmlTimeFormatter::format()
$formatted = $this->dateTimeFormatter->format( $value );
if ( $this->calendarNameNeeded( $value ) ) { $formatted .= ‘<sup class="wb-calendar-name">’ . $this->formatCalendarName( $value->getCalendarModel() ) . '</sup>’; }
However, MwTimeIsoFormatter returns plain text:
/** * @param TimeValue $timeValue * * @return string Text */ private function formatTimeValue( TimeValue $timeValue ) {
MwTimeIsoFormatter::getLocalizedYear()
return wfMessage( 'wikibase-time-precision-' . ( $isBCE ? 'BCE-' : ‘’ ) . $msg, $year ) ->inLanguage( $this->language ) ->text();
The two formatters are wired up without any escaping layer between them:
WikibaseValueFormatterBuilders::newTimeFormatter()
return new HtmlTimeFormatter( $options, new MwTimeIsoFormatter( $options ) );
So if a user with the editinterface right edits one of the relevant interface messages (wikibase-time-precision-*) to include HTML (e.g. <script>), it will be returned unchanged by $message->text() and be added directly to the resulting HTML; this HTML can then turn up in the Wikibase UI (such as on item pages and diffs), but also in third parties who use the wbformatvalue API with the generate parameter set to one of the available HTML formats.