Last modified: 2007-10-24 19:37:24 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T13296, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 11296 - URLs in the help mode double escaped
URLs in the help mode double escaped
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.11.x
All All
: Lowest enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
http://commons.wikimedia.org/w/api.php
:
: 11302 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-11 20:06 UTC by Bryan Tong Minh
Modified: 2007-10-24 19:37 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Bryan Tong Minh 2007-09-11 20:06:39 UTC
URLs are double escaped in the pretty print xml help mode. (Just the main page, see http://commons.wikimedia.org/w/api.php).
Comment 1 Brion Vibber 2007-09-11 20:22:53 UTC
The API help message seems to be abusing the XML pretty-printer, assuming that output will be partially de-escaped. This is fairly rude. :)

Now that the pretty-printer isn't a security hazard, it's formatting output correctly; that is, as given.

In theory we could special-case the pretty-printer, but I suspect it would more sense to just have an HTML interface for this? The URL detection in particular is very fragile as back-interpreting the original code is going to depend on how that particular formatter treats all kinds of characters.
Comment 2 Brion Vibber 2007-09-13 15:27:20 UTC
*** Bug 11302 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Cannon (AmiDaniel) 2007-09-14 18:18:00 UTC
Well, the only characters that really seem to be causing problems in the links are ampersands. Could we maybe just special-case these for now? 

I really think it would make much more sense just to provide, as you suggested, our own html, not formatted xml, help document at the entry point, but I believe the reason Yuri wanted to do it this way was so that we would be handing back valid xml when an error occurs (the help message is shown on all errors). It would, however, make more sense to me for an error just to return a simple doc indicating the error, and only display the help document when the api is accessed without any parameters.
Comment 4 Roan Kattouw 2007-09-15 15:23:51 UTC
(In reply to comment #3)
> It would, however, make more sense to me for an error just to return a
> simple doc indicating the error, and only display the help document when the
> api is accessed without any parameters.
This has been discussed before. It was agreed (and implemented) that the help document be shown only if the requested format is an FM (fancy markup) format. If not, the help text will not be shown unless the users explicitly requests it with action=help. See also:

http://www.mediawiki.org/w/api.php?action=query&list=dfasdf
http://www.mediawiki.org/w/api.php?action=query&list=dfasdf&format=xml
Comment 5 Daniel Cannon (AmiDaniel) 2007-09-18 22:12:56 UTC
Committed r25922, which is a temporary fix for this. Leaving the bug open until we find a better solution (most likely, a fully html version of the help).
Comment 6 Daniel Cannon (AmiDaniel) 2007-09-18 22:13:48 UTC
(In reply to comment #5)
> Committed r25922, which is a temporary fix for this. Leaving the bug open until
> we find a better solution (most likely, a fully html version of the help).
> 

Sorry, that was r25923

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links