Last modified: 2013-06-18 15:48:04 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T16531, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 14531 - nonexisting interface messages cause "<" "&gt" to appear on the users browser


Summary:	nonexisting interface messages cause "<" "&gt" to appear on the users browser

Status:	RESOLVED FIXED

Product:	MediaWiki
Classification:	Unclassified
Component:	Parser (Other open bugs)
Version:	1.16.x
Hardware:	All All

Importance:	Low normal (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:	i18n, patch, patch-need-review

Duplicates:	30681 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-06-13 19:30 UTC by Shaiaqua
Modified:	2013-06-18 15:48 UTC (History)
CC List:	7 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
HTML source of a page resulting from missing two messages, wfMessage produces < > (11.89 KB, text/html) 2012-03-12 04:15 UTC, Marcin Cieślak	Details
wfMessage is now changd to produce < and > instead (11.88 KB, text/html) 2012-03-12 04:18 UTC, Marcin Cieślak	Details
a simple patch to the Message class - use << >> now instead of < > (1.38 KB, patch) 2012-03-12 04:20 UTC, Marcin Cieślak	Details
Add an attachment (proposed patch, testcase, etc.)

Description Shaiaqua 2008-06-13 19:30:34 UTC

When adding a right to $wgRestrictionTypes, or adding special page without a mediawiki: message, it displays &amp;lt;MESSAGE&amp;gt; instead of &lt;MESSAGE&gt;.

Comment 1 Niklas Laxström 2008-08-14 06:13:36 UTC

Please provide more details like where exactly those are shown.

Comment 2 Shaiaqua 2008-08-14 13:30:12 UTC

On special:specialpages, when you make a special page and do not give it a message in the i18n file (ie if you remove the 'checkuser' entry from the checkuser extension's i18n file), and on &action=protect, when you add a right but do not make restriction-<right> message. Do you want a screenshot?

Comment 3 Niklas Laxström 2009-01-31 21:56:50 UTC

And what should happen in this case?

Comment 4 Dan Jacobson 2009-07-05 20:46:44 UTC

I was just going to enter a new bug: Unknown messages end up in "&lt;message&gt;" instead of "<message>", when I spotted this bug (bug #14531). I was going to say:

There is a bug in the method used to display unknown messages.

They end up being shown to the user as
"&lt;message&gt;" instead of the certainly intended
"<message>".

Try this experiment: on e.g., Monobook.php change msg('search') to
msg('zzzsearch'), and then view what happens in your browser, by
browsing any page.

Yes, there never should be any unknown messages, but when there are
(as occasionally _does_ happen), they should be displayed as intended
for unknown messages, and not with &lt; &gt;.

Comment 5 Marcin Cieślak 2012-03-12 04:15:22 UTC

Created attachment 10219 [details]
HTML source of a page resulting from missing two messages, wfMessage produces &lt; &gt;

An example resulting from removing following messages:

nstab-special
databaseerror

"databaseerror" is rendered as &lt;databaseerror&gt; in the heading as HTML (correctly)
"nstab-special" is additionally escaped in the tab &amp;lt;nstab-special&amp;gt;
"databaseerror" is rendered as &lt;databaseerror> (not &gt;) in the title

Comment 6 Marcin Cieślak 2012-03-12 04:18:11 UTC

Created attachment 10220 [details]
wfMessage is now changd to produce < and > instead

nstab-special is now &lt;nstab-special&gt;
databaseerror is now &lt;databaseerror&gt;
databaseerror is now &lt;databaseerror> in <title>

Comment 7 Marcin Cieślak 2012-03-12 04:20:53 UTC

Created attachment 10221 [details]
a simple patch to the Message class - use << >> now instead of &lt; &gt;

This is a simple patch to use plain << ... >> instead of &lt; &gt;

Comment 8 Marcin Cieślak 2012-03-12 04:39:55 UTC

Comment on attachment 10221 [details]
a simple patch to the Message class - use << >> now instead of &lt; &gt;

The original form of placeholder "&lt;message-name&gt;" introduced in r64182 has a pretty interesting property:

It survives most kinds of parsing and sanitizing:


> print wfMessage("i-dont-exist-aevar")->plain();
&lt;i-dont-exist-aevar&gt;
> print wfMessage("i-dont-exist-aevar")->escaped();
&lt;i-dont-exist-aevar&gt;
> print wfMessage("i-dont-exist-aevar")->parse();
&lt;i-dont-exist-aevar&gt;
> print wfMessage("i-dont-exist-aevar")->parseAsBlock();
<p>&lt;i-dont-exist-aevar&gt;
</p>
> $z = wfMessage("i-dont-exist-aevar")->plain();

> print Sanitizer::removeHTMLtags($z);
&lt;i-dont-exist-aevar&gt;
> print Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z));
&lt;i-dont-exist-aevar&gt;
> print Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z)));
<i-dont-exist-aevar>
> print wfMessage('pagetitle')->rawParams(Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z))));
<i-dont-exist-aevar> – TrunkWiki

The above is possible because Message uses doubleEncode = false with htmlspecialchars() and therefore it magically does not get quoted again. 

The <<i-dont-exist-aevar>> form isn't that great anymore:

> print Sanitizer::removeHTMLtags("<<i-dont-exist>>");
&lt;<i>&gt;</i>

> print wfMessage("i-dont-exist-asdasd")->text();
<<i-dont-exist-asdasd>>


> print Sanitizer::normalizeCharReferences( Sanitizer::removeHTMLtags("<<i-dont-exist-ever>>"));
&lt;<i>&gt;</i>


> $z = wfMessage("i-dont-exist-aevar")->plain();

> print wfMessage('pagetitle')->rawParams(Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z))));
<>  - MiniTest

> print wfMessage("i-dont-exist-aevar")->parse();
&lt;<i>&gt;</i>

it seems like the <<form>> as done by the patch isn't the resistant to various transformations; therefore it is more difficult to spot.

It would be best to have a special value (similar to SQL NULL) or exception object that would be transferred down through all sanitizing, escaping and quoting functions. Not sure if this is worth the effort; and probably would not be bug-free.

For now, it seems that the current method is very simple way to produce an eye-alterting message despite of various transformations. It does not have to be always very pretty though. 

a WONTFIX?

Comment 9 Sumana Harihareswara 2012-03-12 04:47:32 UTC

Marcin, feel free to remove the "need-review" keyword if the patch is for illustration only.

Comment 10 Niklas Laxström 2012-03-12 07:42:04 UTC

Let's just fix documentation for $wgRestrictionTypes and let this be.

Comment 11 Marcin Cieślak 2012-03-28 09:45:15 UTC

*** Bug 30681 has been marked as a duplicate of this bug. ***

Comment 12 Marcin Cieślak 2012-03-28 09:46:49 UTC

Santhosh Thottingal proposed a fix under bug 30681 (now dupe) under

https://gerrit.wikimedia.org/r/3842

Comment 13 Santhosh Thottingal 2012-03-28 10:40:38 UTC

Added phpunit testcases in https://gerrit.wikimedia.org/r/3852, and I think that and https://gerrit.wikimedia.org/r/3842 resolves the issue.

Note You need to log in before you can comment on or make changes to this bug.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links