Last modified: 2013-01-23 15:21:58 UTC
The wikibase-item type uses the 'string' data value. This allows for all strings while we only want to allow proper wb item IDs. The right thing to do would probably be to add a validator to the wikibase-item data type definition, checking whether the given string is a proper ID. If this is not fixed, this allows confusing vandalism, people adding Snaks with weird IDs which make no sense to Statements. In the frontend we can prevent from this in other ways, the API would still be vulnerable and would require a solution to this bug.
Taking this one. > In the frontend we can prevent from this in other ways You cannot prevent people from submitting incorrect data via frontend code ;)
Jeroen: trollololol? Perhaps I should have written in our UI. Even though we are not doing this and yes, you could still 'hack' it then.
"It's not security you know ... [long silence] ... it's validating input... before it goes to the server" -- anonymous Daniel is anonymous
Started to actually work on this.
First commit, more will follow: https://gerrit.wikimedia.org/r/#/c/42885/
Second commit, more will follow: https://gerrit.wikimedia.org/r/42893
Also https://gerrit.wikimedia.org/r/#/c/42974/ and https://gerrit.wikimedia.org/r/#/c/42977/ More will still follow
*** Bug 43609 has been marked as a duplicate of this bug. ***
Verified in Wikidata demo sprint 29