Page MenuHomePhabricator
Create Task
Maniphest T347578

HTML tags in Entity diff title
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
Lucas_Werkmeister_WMDE
Authored By
Michael
Sep 28 2023, 12:27 PM
Tags
Referenced Files
F37833666: image.png
Sep 28 2023, 4:55 PM
F37833669: image.png
Sep 28 2023, 4:55 PM
F37830480: image.png
Sep 28 2023, 2:27 PM
F37828132: image.png
Sep 28 2023, 12:44 PM
F37827617: image.png
Sep 28 2023, 12:27 PM
Subscribers
Aklapper
Ammarpad
Aschroet
IKhitron
Lucas_Werkmeister_WMDE
matmarex
Michael
View All 13 Subscribers

Description

Steps to replicate the issue (include links if applicable):

What happens?:

There are HTML tags visible in the title: <span class="wikibase-title-id">(Q56668748)</span>

image.png (174×819 px, 30 KB)

What should have happened instead?:

There should be no HTML-tags in the title

Other information (browser name/version, screenshots, etc.):

Details

SubjectRepoBranchLines +/-
Fix diff title escapingmediawiki/extensions/Wikibasewmf/1.41.0-wmf.28+1 -1
Fix diff title escapingmediawiki/extensions/Wikibasemaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Michael created this task.Sep 28 2023, 12:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 28 2023, 12:27 PM
Michael added a comment.Sep 28 2023, 12:44 PM

Can now confirm that it is indeed the change mentioned in the description that introduced the issue. Changing the code modified in \Wikibase\Repo\Actions\ViewEntityAction::setDiffPageTitle to use \Message::rawParams instead of \Message::plaintextParams does fix the issues without introducing a XSS vulnerability:

image.png (304×738 px, 46 KB)

But the styling looks wrong. Has it always been this way?

Lucas_Werkmeister_WMDE subscribed.Sep 28 2023, 1:06 PM
In T347578#9206634, @Michael wrote:

But the styling looks wrong. Has it always been this way?

I think so; this random Wikibase Cloud wiki diff looks the same.

Ammarpad subscribed.Sep 28 2023, 1:12 PM

See also T347522: Page difference title is not parsed any more.

Arian_Bozorg added a project: Wikidata Dev Team.Sep 28 2023, 2:16 PM
Arian_Bozorg moved this task from Incoming to Product Backlog on the Wikidata Dev Team board.
Michael added a comment.Sep 28 2023, 2:27 PM

Though it is not as simple as just changing plainTextParams -> rawParams, because that would still parse some HTML tags like <b> (see screenshot). But it should not be terribly harder, maybe we just need to do some extra escaping ourselves.

image.png (588×633 px, 80 KB)

Lucas_Werkmeister_WMDE added a comment.Sep 28 2023, 2:45 PM

IIRC the recommended approach is that we do whatever escaping we need and then return that as a RawMessage.

Arian_Bozorg moved this task from Product Backlog to Unified DOT Backlog on the Wikidata Dev Team board.Sep 28 2023, 2:50 PM
matmarex subscribed.Sep 28 2023, 4:55 PM

I couldn't reproduce this at first, it turns out that Wikibase generates different page titles for diffs depending on the 'diffonly' option:

So… maybe the styling (which looked wrong to @Michael above :) ) isn't actually intended, just happening by accident when the page content is displayed below the diff?

matmarex added a comment.Sep 28 2023, 5:02 PM
In T347578#9207106, @Michael wrote:

Though it is not as simple as just changing plainTextParams -> rawParams, because that would still parse some HTML tags like <b> (see screenshot). But it should not be terribly harder, maybe we just need to do some extra escaping ourselves.

->plaintextParams( $titleText . $id ) should probably become ->rawParams( htmlspecialchars( $titleText ) . $id )

matmarex mentioned this in T347522: Page difference title is not parsed any more..Sep 28 2023, 5:06 PM
Wotheina subscribed.Sep 29 2023, 10:31 AM
IKhitron subscribed.Sep 29 2023, 12:31 PM
TheresNoTime subscribed.Sep 29 2023, 9:18 PM
Tacsipacsi subscribed.Sep 29 2023, 9:53 PM
In T347578#9207898, @matmarex wrote:

So… maybe the styling (which looked wrong to @Michael above :) ) isn't actually intended, just happening by accident when the page content is displayed below the diff?

Given that it’s set in a method named setDiffPageTitle (see T347578#9206634), it’s obviously quite intended that it appears on diffs with diffonly=0. The accidental thing is that it doesn’t appear on diffs with diffonly=1 – if I understand the code correctly, the data it uses is set in an OutputPageParserOutput hook handler, which seems not to run with diffonly=1 (which sounds right on core’s side, why would the hook run if there’s no parsed content on the page?).

Ammarpad merged a task: T347785: Literally <span class="wikibase-title-id">(Qxxxx)</span> shown on diff.Sep 30 2023, 8:03 AM
Ammarpad added a subscriber: Raymond.
Mike_Peel subscribed.Oct 2 2023, 2:18 PM

Also seeing this, ongoing issue? E.g., at https://www.wikidata.org/w/index.php?title=Q34623&curid=37349&diff=1985491049&oldid=1959113485 , https://www.wikidata.org/w/index.php?title=Q19599427&oldid=prev&diff=1984920937

Aschroet subscribed.Oct 2 2023, 3:51 PM
gerritbot added a comment.Oct 2 2023, 3:59 PM

Change 962646 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@master] Fix diff title escaping

https://gerrit.wikimedia.org/r/962646

gerritbot added a project: Patch-For-Review.Oct 2 2023, 3:59 PM
MilkyDefer subscribed.Oct 2 2023, 4:10 PM
gerritbot added a comment.Oct 2 2023, 5:45 PM

Change 962646 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] Fix diff title escaping

https://gerrit.wikimedia.org/r/962646

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.29; 2023-10-03).Oct 2 2023, 6:00 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 2 2023, 6:10 PM
gerritbot added a comment.Oct 2 2023, 6:43 PM

Change 962214 had a related patch set uploaded (by Bartosz Dziewoński; author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@wmf/1.41.0-wmf.28] Fix diff title escaping

https://gerrit.wikimedia.org/r/962214

gerritbot added a project: Patch-For-Review.Oct 2 2023, 6:43 PM
gerritbot added a comment.Oct 2 2023, 9:05 PM

Change 962214 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@wmf/1.41.0-wmf.28] Fix diff title escaping

https://gerrit.wikimedia.org/r/962214

Stashbot added a comment.Oct 2 2023, 9:07 PM

Mentioned in SAL (#wikimedia-operations) [2023-10-02T21:07:45Z] <kindrobot@deploy2002> Started scap: Backport for [[gerrit:962212|Ignore <!--comment--> only site notices (T347645)]], [[gerrit:962213|HookUtils: Fix checking page props (T347878)]], [[gerrit:962214|Fix diff title escaping (T347578)]], [[gerrit:962215|Diff: Add missing .mw-diff-inline-moved selector]]

Stashbot mentioned this in T347645: Sitenotice hide button is displayed even if there is no sitenotice.Oct 2 2023, 9:07 PM
Stashbot mentioned this in T347878: Talk page empty state appears on pages with __NONEWSECTIONLINK__.

Mentioned in SAL (#wikimedia-operations) [2023-10-02T21:08:59Z] <kindrobot@deploy2002> kindrobot and matmarex: Backport for [[gerrit:962212|Ignore <!--comment--> only site notices (T347645)]], [[gerrit:962213|HookUtils: Fix checking page props (T347878)]], [[gerrit:962214|Fix diff title escaping (T347578)]], [[gerrit:962215|Diff: Add missing .mw-diff-inline-moved selector]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Maintenance_bot removed a project: Patch-For-Review.Oct 2 2023, 9:11 PM
Stashbot added a comment.Oct 2 2023, 9:17 PM

Mentioned in SAL (#wikimedia-operations) [2023-10-02T21:17:51Z] <kindrobot@deploy2002> Finished scap: Backport for [[gerrit:962212|Ignore <!--comment--> only site notices (T347645)]], [[gerrit:962213|HookUtils: Fix checking page props (T347878)]], [[gerrit:962214|Fix diff title escaping (T347578)]], [[gerrit:962215|Diff: Add missing .mw-diff-inline-moved selector]] (duration: 10m 06s)

matmarex closed this task as Resolved.Oct 2 2023, 9:52 PM
matmarex claimed this task.

Fixed and deployed

ReleaseTaggerBot edited projects, added MW-1.41-notes (1.41.0-wmf.28; 2023-09-26); removed MW-1.41-notes (1.41.0-wmf.29; 2023-10-03).Oct 2 2023, 10:00 PM
Tacsipacsi reassigned this task from matmarex to Lucas_Werkmeister_WMDE.Oct 3 2023, 3:35 PM

Thanks @Lucas_Werkmeister_WMDE and @matmarex for fixing it! Is it worth it creating a task to eliminate the difference between diffonly=1 and diffonly=0?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL