Last modified: 2014-04-14 01:47:22 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T21291, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 19291 - Mechanism to find usages of raw-html messages
Mechanism to find usages of raw-html messages
Status: NEW
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
1.16.x
All All
: Lowest normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 212
  Show dependency treegraph
 
Reported: 2009-06-19 09:07 UTC by Niklas Laxström
Modified: 2014-04-14 01:47 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Niklas Laxström 2009-06-19 09:07:35 UTC 
From bug 212 in comment #9:

What I would like to is to have a mechanism to detect this automatically, something that can be enabled during development. PHP's taint module seems a candidate, but as of now it is not easy to install.


The remaining uses are hard to find, and extension developers usually don't pay attention to it.
Comment 1 Brion Vibber 2009-06-23 23:08:12 UTC 
Switching blocker from bug 209 to bug 212, which is more directly relevant.
Comment 2 Nemo 2012-10-03 07:05:24 UTC 
Should this be part of the testing infrastructure?
Comment 3 Antoine "hashar" Musso (WMF) 2012-10-06 06:12:46 UTC 
Not really. That is more a general MediaWiki issue and how we do not detect user input being passed directly to output without proper escaping.

The PHP taint extension is exactly what we could use though it is very unlikely we will ever require such an extension as a dependency. I know of facebook/pffff which is an objective caml analyzer for PHP which *might* be able to detect such issues. Anyway not an easy task with the PHP language.
Comment 4 Siebrand Mazeland 2012-10-24 17:31:22 UTC 
Suggesting WONTFIX here, Niklas. There isn't really a way to find this out. As long as $context->msg() or wfMessage() is used, even Message::text() and Message::plain() can be escaped or parsed later on, so there's not really an indicator.

During the recent updates from wfMsg* to wfMessage, many problems have been resolved (and some new ones have been introduced, overescaping accidentally), so the issue of outputting raw HTML should be smaller now, albeit not gone.

From what I can see, proper auditing on review is the only option for now (and being warned by users).
Comment 5 Niklas Laxström 2012-10-24 19:01:06 UTC 
Siebrand: there are ways as mentioned above. I just don't believe anyone will have time to work on this. I hope this wont come to bite us later.
Comment 6 Quim Gil 2014-04-14 01:47:22 UTC 
(In reply to Niklas Laxström from comment #5)
> I just don't believe anyone will have time to work on this.

This seems to be the case still. Setting priority to Lowest to reflect this fact.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links