Last modified: 2013-06-18 15:48:04 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 14531 - nonexisting interface messages cause "<" "&gt" to appear on the users browser
nonexisting interface messages cause "<" "&gt" to appear on the users browser
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
1.16.x
All All
: Low normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: i18n, patch, patch-need-review
: 30681 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-13 19:30 UTC by Shaiaqua
Modified: 2013-06-18 15:48 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
HTML source of a page resulting from missing two messages, wfMessage produces < > (11.89 KB, text/html)
2012-03-12 04:15 UTC, Marcin Cieślak
Details
wfMessage is now changd to produce < and > instead (11.88 KB, text/html)
2012-03-12 04:18 UTC, Marcin Cieślak
Details
a simple patch to the Message class - use << >> now instead of &lt; &gt; (1.38 KB, patch)
2012-03-12 04:20 UTC, Marcin Cieślak
Details

Description Shaiaqua 2008-06-13 19:30:34 UTC
When adding a right to $wgRestrictionTypes, or adding special page without a mediawiki: message, it displays &amp;lt;MESSAGE&amp;gt; instead of &lt;MESSAGE&gt;.
Comment 1 Niklas Laxström 2008-08-14 06:13:36 UTC
Please provide more details like where exactly those are shown.
Comment 2 Shaiaqua 2008-08-14 13:30:12 UTC
On special:specialpages, when you make a special page and do not give it a message in the i18n file (ie if you remove the 'checkuser' entry from the checkuser extension's i18n file), and on &action=protect, when you add a right but do not make restriction-<right> message. Do you want a screenshot?
Comment 3 Niklas Laxström 2009-01-31 21:56:50 UTC
And what should happen in this case?
Comment 4 Dan Jacobson 2009-07-05 20:46:44 UTC
I was just going to enter a new bug: Unknown messages end up in "&lt;message&gt;" instead of "<message>", when I spotted this bug (bug #14531). I was going to say:

There is a bug in the method used to display unknown messages.

They end up being shown to the user as
"&lt;message&gt;" instead of the certainly intended
"<message>".

Try this experiment: on e.g., Monobook.php change msg('search') to
msg('zzzsearch'), and then view what happens in your browser, by
browsing any page.

Yes, there never should be any unknown messages, but when there are
(as occasionally _does_ happen), they should be displayed as intended
for unknown messages, and not with &lt; &gt;.
Comment 5 Marcin Cieślak 2012-03-12 04:15:22 UTC
Created attachment 10219 [details]
HTML source of a page resulting from missing two messages, wfMessage produces &lt; &gt;

An example resulting from removing following messages:

nstab-special
databaseerror

"databaseerror" is rendered as &lt;databaseerror&gt; in the heading as HTML (correctly)
"nstab-special" is additionally escaped in the tab &amp;lt;nstab-special&amp;gt;
"databaseerror" is rendered as &lt;databaseerror> (not &gt;) in the title
Comment 6 Marcin Cieślak 2012-03-12 04:18:11 UTC
Created attachment 10220 [details]
wfMessage is now changd to produce < and > instead

nstab-special is now &lt;nstab-special&gt;
databaseerror is now &lt;databaseerror&gt;
databaseerror is now &lt;databaseerror> in <title>
Comment 7 Marcin Cieślak 2012-03-12 04:20:53 UTC
Created attachment 10221 [details]
a simple patch to the Message class - use << >> now instead of &lt; &gt;

This is a simple patch to use plain << ... >> instead of &lt; &gt;
Comment 8 Marcin Cieślak 2012-03-12 04:39:55 UTC
Comment on attachment 10221 [details]
a simple patch to the Message class - use << >> now instead of &lt; &gt;

The original form of placeholder "&lt;message-name&gt;" introduced in r64182 has a pretty interesting property:

It survives most kinds of parsing and sanitizing:


> print wfMessage("i-dont-exist-aevar")->plain();
&lt;i-dont-exist-aevar&gt;
> print wfMessage("i-dont-exist-aevar")->escaped();
&lt;i-dont-exist-aevar&gt;
> print wfMessage("i-dont-exist-aevar")->parse();
&lt;i-dont-exist-aevar&gt;
> print wfMessage("i-dont-exist-aevar")->parseAsBlock();
<p>&lt;i-dont-exist-aevar&gt;
</p>
> $z = wfMessage("i-dont-exist-aevar")->plain();

> print Sanitizer::removeHTMLtags($z);
&lt;i-dont-exist-aevar&gt;
> print Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z));
&lt;i-dont-exist-aevar&gt;
> print Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z)));
<i-dont-exist-aevar>
> print wfMessage('pagetitle')->rawParams(Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z))));
<i-dont-exist-aevar> – TrunkWiki

The above is possible because Message uses doubleEncode = false with htmlspecialchars() and therefore it magically does not get quoted again. 

The <<i-dont-exist-aevar>> form isn't that great anymore:

> print Sanitizer::removeHTMLtags("<<i-dont-exist>>");
&lt;<i>&gt;</i>

> print wfMessage("i-dont-exist-asdasd")->text();
<<i-dont-exist-asdasd>>


> print Sanitizer::normalizeCharReferences( Sanitizer::removeHTMLtags("<<i-dont-exist-ever>>"));
&lt;<i>&gt;</i>


> $z = wfMessage("i-dont-exist-aevar")->plain();

> print wfMessage('pagetitle')->rawParams(Sanitizer::stripAllTags(Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($z))));
<>  - MiniTest

> print wfMessage("i-dont-exist-aevar")->parse();
&lt;<i>&gt;</i>

it seems like the <<form>> as done by the patch isn't the resistant to various transformations; therefore it is more difficult to spot.

It would be best to have a special value (similar to SQL NULL) or exception object that would be transferred down through all sanitizing, escaping and quoting functions. Not sure if this is worth the effort; and probably would not be bug-free.

For now, it seems that the current method is very simple way to produce an eye-alterting message despite of various transformations. It does not have to be always very pretty though. 

a WONTFIX?
Comment 9 Sumana Harihareswara 2012-03-12 04:47:32 UTC
Marcin, feel free to remove the "need-review" keyword if the patch is for illustration only.
Comment 10 Niklas Laxström 2012-03-12 07:42:04 UTC
Let's just fix documentation for $wgRestrictionTypes and let this be.
Comment 11 Marcin Cieślak 2012-03-28 09:45:15 UTC
*** Bug 30681 has been marked as a duplicate of this bug. ***
Comment 12 Marcin Cieślak 2012-03-28 09:46:49 UTC
Santhosh Thottingal proposed a fix under bug 30681 (now dupe) under

https://gerrit.wikimedia.org/r/3842
Comment 13 Santhosh Thottingal 2012-03-28 10:40:38 UTC
Added phpunit testcases in https://gerrit.wikimedia.org/r/3852, and I think that and https://gerrit.wikimedia.org/r/3842 resolves the issue.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links