Google Code-in

First off its important to emphasize this is a hard task, and much more involved than the other gci tasks. You should only attempt this if you have already completed several other coding tasks. Also, do not be afraid to ask for help from the mentor (Bawolff) [on irc, or send me an email if I'm not online] if you run into any trouble.

It would be cool if SecurityCheckPlugin (The mediawiki/tools/phan/SecurityCheckPlugin.git repo. See the README at https://github.com/wikimedia/mediawiki-tools-phan-SecurityCheckPlugin for info about what it is) could detect double escaping

Background

Web applications use escaping to prevent Cross-site scripting vulnerabilities, which is one of the most common security vulnerabilities in web applications. Html escaping works by converting characters like < into <, so if a user types its output into html as <big>Hi</big> which is displayed as instead of just Hi in really big letters.

But there is a problem, if something is escaped twice, then < becomes &lt; which is displayed to the user as < which is really ugly.

SecurityCheckPlugin is a tool that does static analysis to detect missing escaping. Static analysis is when we try to find bugs in a program without running it. This tool could also be extended to detect too much escaping in addition to not enough escaping.

Please see https://phabricator.wikimedia.org/T182448 for details on what you actually have to do.