Last modified: 2012-08-14 12:02:39 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T16226, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 14226 - Allow <sup> and <sub> in {{DISPLAYTITLE:}}
Allow <sup> and <sub> in {{DISPLAYTITLE:}}
Status: RESOLVED DUPLICATE of bug 12998
Product: MediaWiki
Classification: Unclassified
Templates (Other open bugs)
unspecified
All All
: Normal enhancement with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-22 16:09 UTC by Danny B.
Modified: 2012-08-14 12:02 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Quick patch, kind of fixes the problem but possibly introduces lots of fun XSS and not really tested (1.47 KB, patch)
2008-05-22 16:58 UTC, Aryeh Gregor (not reading bugmail, please e-mail directly)
Details
Proposed patch v1 (6.55 KB, patch)
2008-10-12 00:53 UTC, rememberthedot
Details

Description Danny B. 2008-05-22 16:09:26 UTC
Please allow <sup> and <sup> in {{DISPLAYTITLE:}} as it is enabled for TOC headers.

It is totally reasonable to show correct form of indexes and it doesn't break copy'n'paste.
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-05-22 16:58:28 UTC
Created attachment 4915 [details]
Quick patch, kind of fixes the problem but possibly introduces lots of fun XSS and not really tested

This makes the output of ParserOutput::getDisplayTitle() raw HTML, as is seemingly needed.  However,

1) This causes problems with the <title> of the page, which must be plain text in any event.

Also,

2) The patch puts through *all* titles (not just display titles) as raw HTML, which is obviously wrong!

3) Doesn't work for the edit page, or probably other places.

It seems like a better path would be to add a new variable mHtmlDisplayTitle or something, and use that for where raw HTML is acceptable, using the current one for <title>, as well as legacy uses.
Comment 2 rememberthedot 2008-10-12 00:53:24 UTC
Created attachment 5419 [details]
Proposed patch v1

Here is a preliminary patch that should help resolve the problem. It uses Sanitizer::removeHTMLtags, so it allows tags allowed in wikitext (like <sup> and <sub>) but not tags not allowed in wikitext (like <script>). This is very similar to what the English Wikipedia's JavaScript implementation already does (see [[MediaWiki:Common.js]]). I tested this patch on all skins and it appears to work OK.

Unlike the previous patch, this patch differentiates between the HTML title (what will go into <h1>) and the plain text title (what will go into <title>). This avoids problems with tags finding their way into <title> when <title> is not supposed to have any tags inside of it.

One of the limitations of this patch is that it doesn't process templates. It'd be nice if we could say {{DISPLAYTITLE:{{Unicode|unusual characters}}}}, including a template designed to improve browser compatibility with unusual characters. But this is a minor concern since I believe all the compatibility templates like this can be expressed as <span class="Unicode"> instead.

And of course, if nobody finds any major bugs with this patch, we could just implement it for now and worry about tweaking the code to be more permissive later.
Comment 3 Danny B. 2008-10-13 00:46:03 UTC
This is concrete special case of bug 12998. Please move the patch there and then mark this as duplicate.
Comment 4 rememberthedot 2008-10-13 23:36:56 UTC

*** This bug has been marked as a duplicate of bug 12998 ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links