Last modified: 2007-10-24 19:37:24 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 11296 - URLs in the help mode double escaped
URLs in the help mode double escaped
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.11.x
All All
: Lowest enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
http://commons.wikimedia.org/w/api.php
:
: 11302 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-11 20:06 UTC by Bryan Tong Minh
Modified: 2007-10-24 19:37 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Bryan Tong Minh 2007-09-11 20:06:39 UTC
URLs are double escaped in the pretty print xml help mode. (Just the main page, see http://commons.wikimedia.org/w/api.php).
Comment 1 Brion Vibber 2007-09-11 20:22:53 UTC
The API help message seems to be abusing the XML pretty-printer, assuming that output will be partially de-escaped. This is fairly rude. :)

Now that the pretty-printer isn't a security hazard, it's formatting output correctly; that is, as given.

In theory we could special-case the pretty-printer, but I suspect it would more sense to just have an HTML interface for this? The URL detection in particular is very fragile as back-interpreting the original code is going to depend on how that particular formatter treats all kinds of characters.
Comment 2 Brion Vibber 2007-09-13 15:27:20 UTC
*** Bug 11302 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Cannon (AmiDaniel) 2007-09-14 18:18:00 UTC
Well, the only characters that really seem to be causing problems in the links are ampersands. Could we maybe just special-case these for now? 

I really think it would make much more sense just to provide, as you suggested, our own html, not formatted xml, help document at the entry point, but I believe the reason Yuri wanted to do it this way was so that we would be handing back valid xml when an error occurs (the help message is shown on all errors). It would, however, make more sense to me for an error just to return a simple doc indicating the error, and only display the help document when the api is accessed without any parameters.
Comment 4 Roan Kattouw 2007-09-15 15:23:51 UTC
(In reply to comment #3)
> It would, however, make more sense to me for an error just to return a
> simple doc indicating the error, and only display the help document when the
> api is accessed without any parameters.
This has been discussed before. It was agreed (and implemented) that the help document be shown only if the requested format is an FM (fancy markup) format. If not, the help text will not be shown unless the users explicitly requests it with action=help. See also:

http://www.mediawiki.org/w/api.php?action=query&list=dfasdf
http://www.mediawiki.org/w/api.php?action=query&list=dfasdf&format=xml
Comment 5 Daniel Cannon (AmiDaniel) 2007-09-18 22:12:56 UTC
Committed r25922, which is a temporary fix for this. Leaving the bug open until we find a better solution (most likely, a fully html version of the help).
Comment 6 Daniel Cannon (AmiDaniel) 2007-09-18 22:13:48 UTC
(In reply to comment #5)
> Committed r25922, which is a temporary fix for this. Leaving the bug open until
> we find a better solution (most likely, a fully html version of the help).
> 

Sorry, that was r25923

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links