StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template
Description
Summary
The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.
Details
The template here adds a figure with a class that is substituted in. This value is provided to sprintf here, an unescaped version of the class supplied by the user.
$template = <<<HTML
%s%s%s%s
HTML;
PoC
Note the double quote immediately following the single quote to escape the class attribute in the template: `` dQw4w9WgXcQ ``
Impact
Arbitrary HTML can be inserted into the DOM by any user on any page, allowing for JavaScript to be executed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing output escaping of the user-supplied `class` value before it is interpolated into the HTML template via `sprintf`."
Attack vector
An attacker can inject arbitrary HTML and JavaScript by providing a crafted `class` attribute value in an EmbedVideo tag, such as `<youtube class='" onmouseover="alert(document.domain)' id="dQw4w9WgXcQ">`. The double-quote closes the `class` attribute and introduces a new event handler attribute. Because the value is stored and rendered on every page load, this is a stored XSS vulnerability [ref_id=1][ref_id=2][ref_id=3].
Affected code
The vulnerability resides in `includes/EmbedService/EmbedHtmlFormatter.php` where a user-supplied `class` value is passed directly into a `sprintf` call that builds the `<figure>` element's HTML (lines 138–156 of the vulnerable commit). The `$config['class']` value is never escaped before being substituted into the `class="%s"` attribute, allowing an attacker to break out of the attribute with a double-quote character.
What the fix does
The patch rewrites `EmbedHtmlFormatter::toHtml()` to use Mustache templates (`wrapper.mustache`) via `TemplateParser` instead of raw `sprintf`. Mustache templates automatically HTML-escape variables when using `{{variable}}` syntax, preventing attribute injection. Additionally, the `makeIframe()` method was changed to use `Html::element()` which escapes attributes, and `setDescriptionNoParse()` now calls `htmlspecialchars()` on the description [patch_id=6633269].
Preconditions
- authThe attacker must have the ability to create or edit a wiki page that uses the EmbedVideo extension's tag (e.g., ``)
- configThe EmbedVideo extension must be installed and enabled on the wiki
- inputThe attacker supplies a crafted `class` attribute value containing a double-quote to break out of the HTML attribute
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7h5p-637f-jfr7ghsaADVISORY
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84ghsa
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0ghsa
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-7h5p-637f-jfr7ghsa
News mentions
0No linked articles in our index yet.