Page MenuHomePhabricator
Files F58744955

T387691_2.patch
matthiasmullie (Matthias Mullie)
Actions

Authored By
matthiasmullie
Mar 10 2025, 8:50 AM
Size
2 KB
Referenced Files
None
Subscribers
None

T387691_2.patch
View Options

From 5cd5d1af291e36b32514c64c378a4cbad53827f3 Mon Sep 17 00:00:00 2001
From: Matthias Mullie <git@mullie.eu>
Date: Mon, 10 Mar 2025 09:46:07 +0100
Subject: [PATCH] Abort initialization with unexpected DOM
Bug: T387691
Change-Id: I09b02dcc198466d0330285d0b375fefaee2b115b
---
resources/filepage/StatementPanel.js | 4 ++++
resources/filepage/init.js | 8 ++++++++
2 files changed, 12 insertions(+)
diff --git a/resources/filepage/StatementPanel.js b/resources/filepage/StatementPanel.js
index 40dc1cca..775d92e5 100644
--- a/resources/filepage/StatementPanel.js
+++ b/resources/filepage/StatementPanel.js
@@ -38,6 +38,10 @@ const StatementPanel = function StatementPanelConstructor( config ) {
if ( this.$element.attr( 'data-mw-formatvalue' ) ) {
this.populateFormatValueCache( JSON.parse( this.$element.attr( 'data-mw-formatvalue' ) || '{}' ) );
+ } else if ( this.$element.attr( 'data-formatvalue' ) ) {
+ // Fallback for when this attribute was named differently
+ // @see https://phabricator.wikimedia.org/T387691
+ this.populateFormatValueCache( JSON.parse( this.$element.attr( 'data-formatvalue' ) || '{}' ) );
}
this.licenseDialogWidget = new LicenseDialogWidget();
diff --git a/resources/filepage/init.js b/resources/filepage/init.js
index 236523ed..db329bac 100644
--- a/resources/filepage/init.js
+++ b/resources/filepage/init.js
@@ -172,6 +172,14 @@
* @param {jQuery} content
*/
mw.hook( 'wikipage.content' ).add( ( $content ) => {
+ // eslint-disable-next-line no-jquery/no-global-selector
+ if ( $( '.wbmi-structured-data-header' ).length > 1 || $( '.wbmi-captions-header' ).length > 1 ) {
+ // abort initialization if we encounter more than of the expected DOM
+ // structured; in which case wikitext has likely been crafted maliciously,
+ // and it may be unsafe to proceed
+ return;
+ }
+
const linkNoticeWidget = new LinkNoticeWidget();
const protectionMsgWidget = new ProtectionMsgWidget();
const $statements = $content.find( '.wbmi-structured-data-header ~ .wbmi-entityview-statementsGroup' );
--
2.34.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
19441275
Default Alt Text
T387691_2.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits