Page MenuHomePhabricator
Files F66017610

T404392-4.patch
Jdforrester-WMF (James D. Forrester)
Actions

Authored By
Jdforrester-WMF
Sep 12 2025, 12:24 PM
Size
7 KB
Referenced Files
None
Subscribers
None

T404392-4.patch
View Options

From dc68877204083da4fdb2eedd2de939045bc02363 Mon Sep 17 00:00:00 2001
From: gengh <ggalarzaheredero@wikimedia.org>
Date: Fri, 12 Sep 2025 12:50:58 +0200
Subject: [PATCH] SECURITY: Do not let error type labels or arguments return
HTML either
Bug: T404392
Change-Id: I996fa2f9ec5112978296ad8f357176123f8f692b
---
resources/ext.wikilambda.app/components/App.vue | 2 +-
.../ext.wikilambda.app/components/base/TypeToString.vue | 2 +-
.../components/types/ZObjectStringRenderer.vue | 1 +
.../components/types/wikidata/LexemeSense.vue | 2 +-
.../components/visualeditor/FunctionInputField.vue | 2 +-
.../components/visualeditor/FunctionSelect.vue | 2 +-
.../visualeditor/fields/FunctionInputParser.vue | 8 ++++----
.../widgets/function-evaluator/FunctionMetadataDialog.vue | 5 +++--
.../components/widgets/publish/PublishDialog.vue | 1 +
9 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/resources/ext.wikilambda.app/components/App.vue b/resources/ext.wikilambda.app/components/App.vue
index 7560c136..bf57148b 100644
--- a/resources/ext.wikilambda.app/components/App.vue
+++ b/resources/ext.wikilambda.app/components/App.vue
@@ -21,7 +21,7 @@
<!-- Provide a nice error message when fetching zids or initializing the page fails -->
<cdx-message v-else-if="hasError" type="warning">
{{ $i18n( 'wikilambda-initialize-error' ).text() }}<br>
- <!-- eslint-disable vue/no-v-html -->
+ <!-- eslint-disable-next-line vue/no-v-html -->
<span v-html="$i18n( 'wikilambda-renderer-error-footer-project-chat' ).parse()"></span>
</cdx-message>
<span v-else>
diff --git a/resources/ext.wikilambda.app/components/base/TypeToString.vue b/resources/ext.wikilambda.app/components/base/TypeToString.vue
index 4f0b9458..cbca76a7 100644
--- a/resources/ext.wikilambda.app/components/base/TypeToString.vue
+++ b/resources/ext.wikilambda.app/components/base/TypeToString.vue
@@ -21,7 +21,7 @@
v-if="hasArgs"
class="ext-wikilambda-app-type-to-string">
&nbsp;(
- <!-- eslint-disable vue/no-v-for-template-key -->
+ <!-- eslint-disable-next-line vue/no-v-for-template-key -->
<template
v-for="( argKey, index ) in args"
:key="argKey"
diff --git a/resources/ext.wikilambda.app/components/types/ZObjectStringRenderer.vue b/resources/ext.wikilambda.app/components/types/ZObjectStringRenderer.vue
index 0c6ca02f..017953b6 100644
--- a/resources/ext.wikilambda.app/components/types/ZObjectStringRenderer.vue
+++ b/resources/ext.wikilambda.app/components/types/ZObjectStringRenderer.vue
@@ -42,6 +42,7 @@
class="ext-wikilambda-app-object-string-renderer__error-footer"
v-html="$i18n( 'wikilambda-renderer-error-footer-project-chat' ).parse()"
></p>
+ <!-- eslint-enable vue/no-v-html -->
</div>
</template>
diff --git a/resources/ext.wikilambda.app/components/types/wikidata/LexemeSense.vue b/resources/ext.wikilambda.app/components/types/wikidata/LexemeSense.vue
index 80922b98..58a33ff5 100644
--- a/resources/ext.wikilambda.app/components/types/wikidata/LexemeSense.vue
+++ b/resources/ext.wikilambda.app/components/types/wikidata/LexemeSense.vue
@@ -49,7 +49,7 @@
v-if="shouldShowNoSensesMessage"
inline
>
- <!-- eslint-disable vue/no-v-html -->
+ <!-- eslint-disable-next-line vue/no-v-html -->
<div v-html="noSensesMessage"></div>
</cdx-message>
</div>
diff --git a/resources/ext.wikilambda.app/components/visualeditor/FunctionInputField.vue b/resources/ext.wikilambda.app/components/visualeditor/FunctionInputField.vue
index 060d92a2..b83cc484 100644
--- a/resources/ext.wikilambda.app/components/visualeditor/FunctionInputField.vue
+++ b/resources/ext.wikilambda.app/components/visualeditor/FunctionInputField.vue
@@ -32,7 +32,7 @@
</span>
</template>
<template v-if="showValidation && !!errorMessage" #error>
- <div>{{ getErrorMessage( error ) }}</div>
+ <div>{{ errorMessage }}</div>
</template>
</cdx-field>
</template>
diff --git a/resources/ext.wikilambda.app/components/visualeditor/FunctionSelect.vue b/resources/ext.wikilambda.app/components/visualeditor/FunctionSelect.vue
index 2ab0a96f..2e2d53b5 100644
--- a/resources/ext.wikilambda.app/components/visualeditor/FunctionSelect.vue
+++ b/resources/ext.wikilambda.app/components/visualeditor/FunctionSelect.vue
@@ -54,7 +54,7 @@
:key="`cta-${ index }`"
class="ext-wikilambda-app-function-select__no-results-cta"
>
- <!-- eslint-disable vue/no-v-html -->
+ <!-- eslint-disable-next-line vue/no-v-html -->
<span v-html="cta.title"></span><br>
<span>{{ cta.description }}</span>
</div>
diff --git a/resources/ext.wikilambda.app/components/visualeditor/fields/FunctionInputParser.vue b/resources/ext.wikilambda.app/components/visualeditor/fields/FunctionInputParser.vue
index 0e356fcf..c2d0e1fa 100644
--- a/resources/ext.wikilambda.app/components/visualeditor/fields/FunctionInputParser.vue
+++ b/resources/ext.wikilambda.app/components/visualeditor/fields/FunctionInputParser.vue
@@ -128,7 +128,7 @@ module.exports = exports = defineComponent( {
*
* @return {string}
*/
- getErrorMessage: function () {
+ fallbackErrorMsg: function () {
return this.$i18n( 'wikilambda-visualeditor-wikifunctionscall-error-parser', this.inputType ).parse();
},
/**
@@ -186,10 +186,10 @@ module.exports = exports = defineComponent( {
// * get error from metadata object
// * reject with error message
const metadata = data.response[ Constants.Z_RESPONSEENVELOPE_METADATA ];
- this.setErrorMessageCallback( metadata, this.getErrorMessage, reject );
+ this.setErrorMessageCallback( metadata, this.fallbackErrorMsg, reject );
} else if ( this.typeToString( this.getZObjectType( response ) ) !== this.inputType ) {
// Parser return unexpected type: reject with error message
- reject( this.getErrorMessage );
+ reject( this.fallbackErrorMsg );
} else {
// Success: Resolve the promise
resolve();
@@ -199,7 +199,7 @@ module.exports = exports = defineComponent( {
if ( error.code === 'abort' ) {
reject( error.code );
}
- reject( this.getErrorMessage );
+ reject( this.fallbackErrorMsg );
} );
} );
},
diff --git a/resources/ext.wikilambda.app/components/widgets/function-evaluator/FunctionMetadataDialog.vue b/resources/ext.wikilambda.app/components/widgets/function-evaluator/FunctionMetadataDialog.vue
index 46342800..0a3d6fc3 100644
--- a/resources/ext.wikilambda.app/components/widgets/function-evaluator/FunctionMetadataDialog.vue
+++ b/resources/ext.wikilambda.app/components/widgets/function-evaluator/FunctionMetadataDialog.vue
@@ -44,12 +44,12 @@
class="ext-wikilambda-metadata-dialog-errors"
:type="error.type"
>
- <div> {{ getErrorMessage( error ) }} </div>
+ <div>{{ getErrorMessage( error ) }}</div>
</cdx-message>
</div>
<div v-else class="ext-wikilambda-app-function-metadata-dialog__body">
<cdx-message v-if="hasMetadataErrors">
- <!-- eslint-disable vue/no-v-html -->
+ <!-- eslint-disable-next-line vue/no-v-html -->
<div v-html="$i18n( 'wikilambda-functioncall-metadata-errors-debug-hint' ).parse()"></div>
</cdx-message>
<cdx-field
@@ -107,6 +107,7 @@
:dir="item.dir"
v-html="item.value"
></span>
+ <!-- eslint-enable vue/no-v-html -->
</template>
<ul v-if="item.content">
<li
diff --git a/resources/ext.wikilambda.app/components/widgets/publish/PublishDialog.vue b/resources/ext.wikilambda.app/components/widgets/publish/PublishDialog.vue
index 8244b3b8..d00d02d4 100644
--- a/resources/ext.wikilambda.app/components/widgets/publish/PublishDialog.vue
+++ b/resources/ext.wikilambda.app/components/widgets/publish/PublishDialog.vue
@@ -60,6 +60,7 @@
class="ext-wikilambda-app-publish-dialog__legal-text"
v-html="legalText"
></div>
+ <!-- eslint-enable vue/no-v-html -->
</template>
</cdx-dialog>
</div>
--
2.39.5 (Apple Git-154)

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
21797202
Default Alt Text
T404392-4.patch (7 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits