Last modified: 2010-05-15 15:33:38 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 2309 - Template parameters not substituted in HTML attributes [regression]
Template parameters not substituted in HTML attributes [regression]
Product: MediaWiki
Classification: Unclassified
Templates (Other open bugs)
All All
: Highest normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
: 2743 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2005-06-03 15:16 UTC by Cary Bass
Modified: 2010-05-15 15:33 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Cary Bass 2005-06-03 15:16:45 UTC

Up until yesterday, we were able to position dots on maps using the template
field "pin_coords", which placed a "left: ###; top: ###" code into the DIV tag
for the tiny town graphic.  Suddenly, on 6/3/05, this field no longer works.

We have already positioned quite a few towns using this now-disabled feature. 
This feature also reduces the number of graphics; 2 for all towns in a single
county rather than one for each one.  This ability should be restored.
Comment 1 Cary Bass 2005-06-03 15:17:31 UTC
Comment 2 Brion Vibber 2005-06-04 00:31:25 UTC
This is caused by the fix to bug 2304, which is a major security vulnerability.

Allowing validated plaintext template/parameter substitutions in HTML attribute values with our 
current parser architecture is theoretically possible, but will take some work to ensure that it 
remains safe.
Comment 3 Brion Vibber 2005-06-04 23:23:03 UTC
Also broken by this:

I've done some work on this bug but need to check it over a bit to make sure I haven't reintroduced a vulnerability, 
particularly on the 1.4 backport (where the HTML attribute validation code is pretty crappy). Will try to finish it up 
Comment 4 Zhen Lin 2005-06-06 01:43:43 UTC
I recently upgraded my MediaWiki installation to 1.4.5 - we've experienced this
problem on precisely one template at the moment. I suppose it is because no one
has edited the other ones using this technique yet.

Curiously, {{subst:xyz}} works, but {{xyz}} uses the inclusion guard.
Comment 5 Brion Vibber 2005-06-06 01:46:33 UTC
Fix applied to CVS HEAD. Still working on REL1_4.
Comment 6 Brion Vibber 2005-06-06 04:59:56 UTC
Fix applied to REL1_4 as well (Parser.php).
Comment 7 Zhen Lin 2005-06-08 15:13:50 UTC
Is there a specific patch we can apply now, or will there be a new release of
1.4 soon?
Comment 8 Brion Vibber 2005-06-08 23:45:38 UTC
I can't release a 1.4.6 just now as there's an issue with upgrades and an unnecessary 
but performance-enhancing index.

Here's the change for REL1_4:
Comment 9 Zigger 2005-07-07 21:21:12 UTC
*** Bug 2743 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.