Page MenuHomePhabricator
Create Task
Maniphest T104896

Sanitizer::escapeId generates ambiguous IDs
Open, LowPublic
Actions

Description

In traditional mode ($wgExperimentalHtmlIds = false) Sanitizer::escapeId generates ambiguous values:
Sanitizer::escapeId( '!', [ 'noninitial' ] ) and Sanitizer::escapeId( '.21', [ 'noninitial' ] ) evaluates to .21.

A heuristic decoding would generate relevant errors. For example the heading

172.31.255.255

gets encoded to id="172.31.255.255" and a heuristic decoder would generate 1721%5%5.

It would be possible to generate nonambiguous values by encoding . with .2E. Sanitizer::escapeId( '.21', [ 'noninitial' ] ) would evaluate to .2E21.

Such a change would be easy to implement by adding

'.' => '%2E',

after line https://phabricator.wikimedia.org/source/mediawiki/browse/master/includes/Sanitizer.php;d0a0838cb76b4cf20977c4aba5fe06877d8deb58$1205

But such a change is not backward compatible. Existing anchor links to headings can break.

Related Objects

Event Timeline

Fomafix created this task.Jul 6 2015, 7:09 PM
Fomafix raised the priority of this task from to Low.
Fomafix updated the task description. (Show Details)
Fomafix added a project: MediaWiki-General.
Fomafix subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 6 2015, 7:09 PM
Fomafix added a comment.EditedJul 6 2015, 7:20 PM

FlaggedRevs does some hacky reverse of Sanitizer::escapeId() encoding: https://phabricator.wikimedia.org/diffusion/EFLR/browse/master/frontend/FlaggablePageView.php;92cd407c84b8093b813a0a0a125d28ae256836f1$488-492

Krinkle subscribed.Jul 6 2015, 7:42 PM

It is ambiguous from the perspective of trying to reverse an ID back into the title heading yes. However that is not a supported use case for the ID. The only thing that matters is that the logic is deterministic in one direction, and that the produced ID (in case of OutputPage) is unique.

In what case do you need to reverse it? That sounds like something that is in need of a better approach.

Ricordisamoa subscribed.Jul 7 2015, 2:54 PM
Fomafix updated the task description. (Show Details)Jun 9 2017, 10:32 AM
Fomafix mentioned this in T160877: New wikitext editor should anchordecode internal links.Jun 9 2017, 11:21 AM
Fomafix added a comment.Jun 9 2017, 11:36 AM

The benefit of the current function is, that it is an idempotent function:

Sanitizer::escapeId( Sanitizer::escapeId( x ) ) === Sanitizer::escapeId( x )
Pppery edited projects, added MediaWiki-Parser; removed MediaWiki-General.Mar 7 2026, 6:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits