Last modified: 2010-05-15 15:33:38 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T4309, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 2309 - Template parameters not substituted in HTML attributes [regression]
Template parameters not substituted in HTML attributes [regression]
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Templates (Other open bugs)
1.4.x
All All
: Highest normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
http://en.wikipedia.org/wiki/Template...
:
: 2743 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-03 15:16 UTC by Cary Bass
Modified: 2010-05-15 15:33 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Cary Bass 2005-06-03 15:16:45 UTC 
http://en.wikipedia.org/wiki/Tralee

Up until yesterday, we were able to position dots on maps using the template
field "pin_coords", which placed a "left: ###; top: ###" code into the DIV tag
for the tiny town graphic.  Suddenly, on 6/3/05, this field no longer works.

We have already positioned quite a few towns using this now-disabled feature. 
This feature also reduces the number of graphics; 2 for all towns in a single
county rather than one for each one.  This ability should be restored.
Comment 1 Cary Bass 2005-06-03 15:17:31 UTC 
Example: http://en.wikipedia.org/wiki/Castlebar
Comment 2 Brion Vibber 2005-06-04 00:31:25 UTC 
This is caused by the fix to bug 2304, which is a major security vulnerability.

Allowing validated plaintext template/parameter substitutions in HTML attribute values with our 
current parser architecture is theoretically possible, but will take some work to ensure that it 
remains safe.
Comment 3 Brion Vibber 2005-06-04 23:23:03 UTC 
Also broken by this:
http://en.wikipedia.org/wiki/Template:Ref
http://en.wikipedia.org/wiki/Template:Note

I've done some work on this bug but need to check it over a bit to make sure I haven't reintroduced a vulnerability, 
particularly on the 1.4 backport (where the HTML attribute validation code is pretty crappy). Will try to finish it up 
tonight.
Comment 4 Zhen Lin 2005-06-06 01:43:43 UTC 
I recently upgraded my MediaWiki installation to 1.4.5 - we've experienced this
problem on precisely one template at the moment. I suppose it is because no one
has edited the other ones using this technique yet.

Curiously, {{subst:xyz}} works, but {{xyz}} uses the inclusion guard.
Comment 5 Brion Vibber 2005-06-06 01:46:33 UTC 
Fix applied to CVS HEAD. Still working on REL1_4.
Comment 6 Brion Vibber 2005-06-06 04:59:56 UTC 
Fix applied to REL1_4 as well (Parser.php).
Comment 7 Zhen Lin 2005-06-08 15:13:50 UTC 
Is there a specific patch we can apply now, or will there be a new release of
1.4 soon?
Comment 8 Brion Vibber 2005-06-08 23:45:38 UTC 
I can't release a 1.4.6 just now as there's an issue with upgrades and an unnecessary 
but performance-enhancing index.

Here's the change for REL1_4:
http://cvs.sourceforge.net/viewcvs.py/wikipedia/phase3/includes/Parser.php?
r1=1.357.2.49&r2=1.357.2.50&diff_format=u
Comment 9 Zigger 2005-07-07 21:21:12 UTC 
*** Bug 2743 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links