User:CSteipp (WMF)/Training/VulnTagging medium

WARNING: This is a vulnerable script for demonstration. Don't use it! This code has used naive, but commonly-seen, fixes for the SQL injections and XSS in User:CSteipp/Training/VulnTagging_easy. See if you can find ways to still inject SQL and javascript.

<?php

$wgHooks['ParserFirstCallInit'][] = 'wfVulntagging';

function wfVulntagging( &$parser ) {
	$parser->setHook( 'vtag', 'wfAddTags' );
	return true;
}


function wfAddTags( $input, $argv, $parser ) {
	$articleId = $parser->getTitle()->getArticleID();

	if ( isset( $argv['articleid'] ) ) {
		$articleId = mysql_real_escape_string( $argv['articleid'] );
	}

	$dbr = wfGetDB( DB_SLAVE );

	$res = $dbr->select(
		'vulntags',
		array( 'vt_tid', 'vt_tag_text' ),
		array( "vt_article_id = $articleId" ),
		__METHOD__
	);

	$tags = array();

	foreach ( $res as $tag ) {
		$otherpages = Linker::link(
			SpecialPage::getTitleFor( 'ArticlesWithTag', $tag->vt_tag_text ),
			$tag->vt_tag_text
		);
		$tags[] = Html::rawElement(
			'li',
			array( 'id'=>'vuln-tag-list', 'class'=>'tag-'.$tag->vt_tid ),
			$otherpages
		);
	}

	$articleId = htmlspecialchars( $articleId );
	return "<ul id='vuln-tag-list' class='tags-for-$articleId'>" . implode( "\n", $tags ) . "</ul>";
}