Last modified: 2014-08-14 16:40:44 UTC
Many MediaWiki: messages are still used as raw HTML output. Strict XML parsing by user agents would make it very difficult for a sysop modifying them through the wiki to recover from an error which creates invalid output -- the entire wiki interface can be broken. Messages should be converted to either plaintext (via htmlspecialchars()) or wikitext which will go through normalization. (This is an ongoing effort.)
(In reply to comment #0) > Messages should be converted to either plaintext (via htmlspecialchars()) or wikitext which will go through > normalization. (This is an ongoing effort.) I'd much prefer the ongoing effort. Is there some list of what messages that are converted to wikitext, or some easy (grep?) way to find out?
Marking it as INVALID, please provide specific issues like specific tags that cause problem or specific messages that do, submitting a bug like "some stuff in part x of the codebase causes problems" doesn't do a whole lot for those interested in fixing it.
Every message that is output as HTML.
Created attachment 414 [details] Changes errorpage function to add wikitext
It doesn't change nearly all the messages that use the errorpage function, which are: rcpatroldisabledtext, markedaspatrollederrortext, nospecialpagetext, watchnologintext, watchnologintext, nosuchactiontext, uploadnologintext, sessionfailure, notargettext, notargettext, nospecialpagetext, mailnologintext, notargettext, notargettext, noemailtext, noemailtext, movenologintext, notargettext, nospecialpagetext, prefsnologintext, notargettext, notargettext, uploadnologintext, nospecialpagetext, notargettext, notargettext. $ for i in rcpatroldisabledtext markedaspatrollederrortext nospecialpagetext watchnologintext watchnologintext nosuchactiontext uploadnologintext sessionfailure notargettext notargettext nospecialpagetext mailnologintext notargettext notargettext noemailtext noemailtext movenologintext notargettext nospecialpagetext prefsnologintext notargettext notargettext uploadnologintext nospecialpagetext notargettext notargettext; do grep $i patch|wc -l|perl -pe 's/\n/\t/g' && echo $i; done|sort -nr 92 uploadnologintext 92 uploadnologintext 90 prefsnologintext 88 mailnologintext 87 movenologintext 85 watchnologintext 85 watchnologintext 0 sessionfailure 0 rcpatroldisabledtext 0 notargettext 0 notargettext 0 notargettext 0 notargettext 0 notargettext 0 notargettext 0 notargettext 0 notargettext 0 notargettext 0 nosuchactiontext 0 nospecialpagetext 0 nospecialpagetext 0 nospecialpagetext 0 nospecialpagetext 0 noemailtext 0 noemailtext 0 markedaspatrollederrortext
Nevermind, the rest of those messages didn't need any modification, applied the patch to HEAD.
WP:BEANS violation: 1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright 2. ADD <img src="/w/api.php?action=logout" /> 3. FLEE i.e. rouge admin can make everyone forced to log out.
(In reply to comment #7) > WP:BEANS violation: > > 1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright > 2. ADD <img src="/w/api.php?action=logout" /> > 3. FLEE > > i.e. rouge admin can make everyone forced to log out. > You sure about this? I could be wrong, but I just tried it on my localhost and it didn't force a logout.
I think I got most of them with my last commits r50881, r50882 and r50883. Keeping this bug open like this seems not quite useful. What I would like to is mechanism to detect this automatically, something that can be enabled during development. PHP's taint module seems a candidate, but as of now it is not easy to install.
Created bug 19291 for that. Closing this now as INVALID, because this bug cannot be easily fixed as-is.
Reopening as there seems no reason to close it; bug 19291 looks like a request for a tool to aid in working on bug 212 issues.
Are there *any* messages that need to allow full (X)HTML?? Pages like the site footer use raw HTMl links, for example: is that still performance-necessary?
(In reply to comment #8) > (In reply to comment #7) > > WP:BEANS violation: > > > > 1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright > > 2. ADD <img src="/w/api.php?action=logout" /> > > 3. FLEE > > > > i.e. rouge admin can make everyone forced to log out. > > > > You sure about this? I could be wrong, but I just tried it on my localhost and > it didn't force a logout. > This still apply (just tested) Remember to modify the src="" to match your local install.
Changing subject since we don't support XHTML 1.0 anymore ;).
As an aside, people on wikinews use the raw html in [[mediawiki:Copyright]] to add rdf to the footer, to make them be picked up in google's creative commons content search.
(In reply to comment #15) > As an aside, people on wikinews use the raw html in [[mediawiki:Copyright]] > to > add rdf to the footer, to make them be picked up in google's creative commons > content search. Raw RDF comments instead of RDFa!!!
Interesting report history. :) The fact is that nobody seems to be working or planning to work on this. Setting priority to Lowest accordingly.
*** Bug 43646 has been marked as a duplicate of this bug. ***
Converting to tracking bug per bug 43646 comment 6.
