Page MenuHomePhabricator
Create Task
Maniphest T56153

HTML stuff are not always escaped in action=history view
Closed, ResolvedPublic
Actions

Description

See https://test.wikidata.org/w/index.php?title=Q142&action=history

Not XSS: only ampersands are affected.

Version: unspecified
Severity: normal
Whiteboard: u=dev c=frontend p=0

Details

Reference
bz54153

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 1:49 AM
bzimport added projects: MediaWiki-extensions-WikibaseRepository, patch-welcome.
bzimport set Reference to bz54153.
bzimport added a subscriber: Unknown Object (MLST).
liangent created this task.Sep 15 2013, 4:12 PM
liangent added a comment.Sep 15 2013, 4:13 PM

Including: (1) <h1> title, (2) <title> title, (3) edit summary.

liangent added a comment.Sep 15 2013, 4:17 PM

Non-executable HTML tags are also affected in (1) and (2) above, see:

https://test.wikidata.org/w/index.php?title=Q143&action=history

Thanks to the standard sanitizer applied to page titles, executable tags are filtered out:

https://test.wikidata.org/w/index.php?title=Q144&action=history

Bene added a comment.Sep 28 2014, 8:59 AM

I think this has been fixed in the mean time.

liangent added a comment.Sep 28 2014, 1:52 PM

(In reply to Bene* from comment #3)

I think this has been fixed in the mean time.

No. Have a look at the linked page: edit summary of the first revision says "Created a new item: 1 & 2" but the heading is "Revision history of "1 &amp; 2" (Q142)". Obviously they don't match: either one side overescaped the label once, or another side failed to do an escape.

liangent added a comment.Sep 28 2014, 1:53 PM

Hmm I should try a new item as existing summaries are not dynamically generated, but the result is the same: https://test.wikidata.org/w/index.php?title=Q785&action=history

Bene added a comment.Sep 28 2014, 2:04 PM

Oh, I was referring to your comment #1

Including: (1) <h1> title, (2) <title> title, (3) edit summary.

Only the edit summary still has issues which I didn't notice.

Lydia_Pintscher added a project: Wikidata.Dec 1 2014, 2:57 PM
Lydia_Pintscher removed a subscriber: Unknown Object (MLST).
Lydia_Pintscher removed a subscriber: Unknown Object (MLST).
Lydia_Pintscher moved this task from incoming to needs discussion or investigation on the Wikidata board.Feb 19 2015, 11:28 AM
Ricordisamoa subscribed.Sep 4 2015, 10:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 4 2015, 10:08 PM
Pppery closed this task as Resolved.Mar 27 2024, 5:17 PM
Pppery subscribed.

Boldly closing as resolved since this appears to have been fixed at some point.

https://test.wikidata.org/w/index.php?title=Q142&action=history shows "1 & 2' in both places. Ditto https://test.wikidata.org/w/index.php?title=Q785&action=history

https://test.wikidata.org/w/index.php?title=Q143&action=history shows "1<b>2</b>" in both places and neither renders in bold

https://test.wikidata.org/w/index.php?title=Q144&action=history shows "1<script>alert(1)</script>" in both places.

matej_suchanek subscribed.Apr 17 2024, 8:05 PM
In T56153#9666401, @Pppery wrote:

Boldly closing as resolved since this appears to have been fixed at some point.

https://test.wikidata.org/w/index.php?title=Q142&action=history shows "1 & 2' in both places. Ditto https://test.wikidata.org/w/index.php?title=Q785&action=history

Shouldn't it display 1 &amp; 2, though?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL