Page MenuHomePhabricator
Create Task
Maniphest T103430

Adguard injects code to VisualEditor edits
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

I noticed some edits in the Hebrew Wikipedia in which some JavaScript as inserted, probably without the editors' knowledge, by some software that runs on their machines.

Examples:

The code is sanitized and escaped, so it's harmless as far as security goes, but it makes dirty diffs and articles and adds work to patrolers who need to clean it up. It's also possible to define an AbuseFilter (as was already done in he.wiki), but a more comprehensive solution would be nice, such as preventing this from happening, or (dare I say) getting that external software fixed.

Details

SubjectRepoBranchLines +/-
ve.init.mw.Target: Strip all <script>/<object>/<style>/<embed> on savemediawiki/extensions/VisualEditormaster+5 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

Amire80 created this task.Jun 22 2015, 10:05 PM
Amire80 raised the priority of this task from to Needs Triage.
Amire80 updated the task description. (Show Details)
Amire80 added a project: VisualEditor.
Amire80 added subscribers: Amire80, Mooeypoo, Krenair, eranroz.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 22 2015, 10:05 PM
Krenair added a subscriber: Esanders.Jun 22 2015, 10:08 PM
Jdforrester-WMF triaged this task as High priority.Jun 22 2015, 10:09 PM
Jdforrester-WMF added projects: VisualEditor-MediaWiki, VisualEditor 2014/15 Q4 blockers.
Jdforrester-WMF set Security to None.
Krenair added a parent task: T54327: Broken browser plugins cause cruft to be injected into the page (tracking).Jun 22 2015, 10:18 PM
gerritbot subscribed.Jun 23 2015, 1:10 AM

Change 220028 had a related patch set uploaded (by Jforrester):
ve.init.mw.Target: Kill all <script> tags before sending to Parsoid

https://gerrit.wikimedia.org/r/220028

gerritbot added a project: Patch-For-Review.Jun 23 2015, 1:10 AM
Jdforrester-WMF claimed this task.Jun 23 2015, 6:30 PM
Jdforrester-WMF edited a custom field.
Jdforrester-WMF moved this task from To Triage to TR0: Interrupt on the VisualEditor board.Jun 23 2015, 6:35 PM
Jdforrester-WMF moved this task from Nominated to Doing on the VisualEditor 2014/15 Q4 blockers board.Jun 23 2015, 7:06 PM
gerritbot added a comment.Jun 25 2015, 11:45 PM

Change 220028 merged by jenkins-bot:
ve.init.mw.Target: Strip all <script>/<object>/<style>/<embed> on save

https://gerrit.wikimedia.org/r/220028

Jdforrester-WMF mentioned this in rEVED4f1881ea743f: ve.init.mw.Target: Strip all <script>/<object>/<style>/<embed> on save.Jun 25 2015, 11:45 PM
Jdforrester-WMF closed this task as Resolved.Jun 25 2015, 11:50 PM
Jdforrester-WMF removed a project: Patch-For-Review.
Jdforrester-WMF moved this task from Doing to Done on the VisualEditor 2014/15 Q4 blockers board.
Forrestbot added a project: WMF-deploy-2015-06-30_(1.26wmf12).Jun 26 2015, 12:00 AM
Forrestbot subscribed.
Legoktm removed a subscriber: Forrestbot.Jun 29 2015, 5:49 PM
Amire80 mentioned this in T111906: Some kind of filtering or security software ("NetFree") inserts an HTML comment when editing with VisualEditor.Sep 9 2015, 7:34 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL