Last modified: 2014-08-14 16:40:44 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 212 - Many MediaWiki: messages not safe in HTML (tracking)
Many MediaWiki: messages not safe in HTML (tracking)
Status: NEW
Product: MediaWiki
Classification: Unclassified
Internationalization (Other open bugs)
unspecified
All All
: Lowest normal with 5 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
: i18n, tracking
Depends on: 19291 43646 210 1023 1037 1989 2516 16026
Blocks: html tracking well-formedness
  Show dependency treegraph
 
Reported: 2004-08-25 07:14 UTC by Brion Vibber
Modified: 2014-08-14 16:40 UTC (History)
19 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Changes errorpage function to add wikitext (139.84 KB, patch)
2005-04-10 17:21 UTC, Niklas Laxström
Details

Description Brion Vibber 2004-08-25 07:14:06 UTC
Many MediaWiki: messages are still used as raw HTML output. Strict XML parsing by user agents would make 
it very difficult for a sysop modifying them through the wiki to recover from an error which creates invalid 
output -- the entire wiki interface can be broken.

Messages should be converted to either plaintext (via htmlspecialchars()) or wikitext which will go through 
normalization. (This is an ongoing effort.)
Comment 1 Guttorm Flatabø 2004-12-08 14:19:34 UTC
(In reply to comment #0)
> Messages should be converted to either plaintext (via htmlspecialchars()) or
wikitext which will go through 
> normalization. (This is an ongoing effort.)

I'd much prefer the ongoing effort. Is there some list of what messages that are
converted to wikitext, or some easy (grep?) way to find out?
Comment 2 Ævar Arnfjörð Bjarmason 2005-04-01 16:54:26 UTC
Marking it as INVALID, please provide specific issues like specific tags that
cause problem or specific messages that do, submitting a bug like "some stuff in
part x of the codebase causes problems" doesn't do a whole lot for those
interested in fixing it.
Comment 3 Brion Vibber 2005-04-01 20:29:32 UTC
Every message that is output as HTML.
Comment 4 Niklas Laxström 2005-04-10 17:21:23 UTC
Created attachment 414 [details]
Changes errorpage function to add wikitext
Comment 5 Ævar Arnfjörð Bjarmason 2005-04-10 17:54:02 UTC
It doesn't change nearly all the messages that use the errorpage function, which
are: rcpatroldisabledtext, markedaspatrollederrortext, nospecialpagetext,
watchnologintext, watchnologintext, nosuchactiontext, uploadnologintext,
sessionfailure, notargettext, notargettext, nospecialpagetext, mailnologintext,
notargettext, notargettext, noemailtext, noemailtext, movenologintext,
notargettext, nospecialpagetext, prefsnologintext, notargettext, notargettext,
uploadnologintext, nospecialpagetext, notargettext, notargettext.

$ for i in rcpatroldisabledtext markedaspatrollederrortext nospecialpagetext
watchnologintext watchnologintext nosuchactiontext uploadnologintext
sessionfailure notargettext notargettext nospecialpagetext mailnologintext
notargettext notargettext noemailtext noemailtext movenologintext notargettext
nospecialpagetext prefsnologintext notargettext notargettext uploadnologintext
nospecialpagetext notargettext notargettext; do grep $i patch|wc -l|perl -pe
's/\n/\t/g' && echo $i; done|sort -nr
92      uploadnologintext
92      uploadnologintext
90      prefsnologintext
88      mailnologintext
87      movenologintext
85      watchnologintext
85      watchnologintext
0       sessionfailure
0       rcpatroldisabledtext
0       notargettext
0       notargettext
0       notargettext
0       notargettext
0       notargettext
0       notargettext
0       notargettext
0       notargettext
0       notargettext
0       nosuchactiontext
0       nospecialpagetext
0       nospecialpagetext
0       nospecialpagetext
0       nospecialpagetext
0       noemailtext
0       noemailtext
0       markedaspatrollederrortext
Comment 6 Ævar Arnfjörð Bjarmason 2005-04-10 19:46:10 UTC
Nevermind, the rest of those messages didn't need any modification, applied the
patch to HEAD.
Comment 7 Carl Fürstenberg 2008-04-14 20:22:58 UTC
WP:BEANS violation:

1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright
2. ADD <img src="/w/api.php?action=logout" />
3. FLEE

i.e. rouge admin can make everyone forced to log out.
Comment 8 Chad H. 2008-06-05 14:41:08 UTC
(In reply to comment #7)
> WP:BEANS violation:
> 
> 1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright
> 2. ADD <img src="/w/api.php?action=logout" />
> 3. FLEE
> 
> i.e. rouge admin can make everyone forced to log out.
> 

You sure about this? I could be wrong, but I just tried it on my localhost and it didn't force a logout.
Comment 9 Niklas Laxström 2009-05-22 11:57:28 UTC
I think I got most of them with my last commits r50881, r50882 and r50883. Keeping this bug open like this seems not quite useful. What I would like to is mechanism to detect this automatically, something that can be enabled during development. PHP's taint module seems a candidate, but as of now it is not easy to install.
Comment 10 Niklas Laxström 2009-06-19 09:09:24 UTC
Created bug 19291 for that. Closing this now as INVALID, because this bug cannot be easily fixed as-is.
Comment 11 Brion Vibber 2009-06-23 23:07:48 UTC
Reopening as there seems no reason to close it; bug 19291 looks like a request for a tool to aid in working on bug 212 issues.
Comment 12 Happy-melon 2009-07-24 10:07:26 UTC
Are there *any* messages that need to allow full (X)HTML??  Pages like the site footer use raw HTMl links, for example: is that still performance-necessary?
Comment 13 Carl Fürstenberg 2009-08-23 17:52:42 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > WP:BEANS violation:
> > 
> > 1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright
> > 2. ADD <img src="/w/api.php?action=logout" />
> > 3. FLEE
> > 
> > i.e. rouge admin can make everyone forced to log out.
> > 
> 
> You sure about this? I could be wrong, but I just tried it on my localhost and
> it didn't force a logout.
> 

This still apply (just tested) Remember to modify the src="" to match your local install.
Comment 14 Daniel Friesen 2013-06-08 14:03:10 UTC
Changing subject since we don't support XHTML 1.0 anymore ;).
Comment 15 Bawolff (Brian Wolff) 2013-06-08 15:30:42 UTC
As an aside, people on wikinews use the raw html in [[mediawiki:Copyright]] to add rdf to the footer, to make them be picked up in google's creative commons content search.
Comment 16 Daniel Friesen 2013-06-08 15:35:30 UTC
(In reply to comment #15)
> As an aside, people on wikinews use the raw html in [[mediawiki:Copyright]]
> to
> add rdf to the footer, to make them be picked up in google's creative commons
> content search.

Raw RDF comments instead of RDFa!!!
Comment 17 Quim Gil 2014-04-14 01:55:58 UTC
Interesting report history.  :)

The fact is that nobody seems to be working or planning to work on this. Setting priority to Lowest accordingly.
Comment 18 Erwin Dokter 2014-04-29 15:47:14 UTC
*** Bug 43646 has been marked as a duplicate of this bug. ***
Comment 19 Erwin Dokter 2014-04-29 20:24:40 UTC
*** Bug 43646 has been marked as a duplicate of this bug. ***
Comment 20 Nemo 2014-05-03 09:17:32 UTC
Converting to tracking bug per bug 43646 comment 6.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links