Page MenuHomePhabricator
Create Task
Maniphest T10775

ctype=text/plain
Closed, DeclinedPublic
Actions

Description

http://www.mediawiki.org/wiki/Manual:Parameters_to_index.php#Raw says

ctype

the content-type value to be used in the HTTP header when
returning the raw content, instead of the default text/x-wiki;
this can only be one of the allowed types, which currently are
text/x-wiki, text/javascript, text/css, and
application/x-zope-edit

What is wrong with adding text/plain to the allowed types? You must
admit that would be the most reasonable choice to be able to read raw
wikitext in some browsers.

Version: 1.9.x
Severity: minor
OS: Linux
Platform: PC

Details

Reference
bz8775

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 9:32 PM
bzimport added a project: MediaWiki-Parser.
bzimport set Reference to bz8775.
bzimport added a subscriber: Unknown Object (MLST).
Jidanni created this task.Jan 25 2007, 7:14 PM
brion added a comment.Jan 25 2007, 8:41 PM

text/plain is unsafe, as a number of browsers interpret it as "go ahead and try
to detect the file type and if it looks like HTML render it as HTML". Hence,
arbitrary JavaScript execution.

You may thank Microsoft and Apple for that.

bzimport added a comment.Feb 24 2007, 9:35 PM

wilson.jim.r wrote:

If you're feeling hackish, 'text/css' offers a dirty alternative. All major
browsers render text/css just like text/plain (as of the time of this writing).

So instead of linking to "?title=Some_Page&action=raw", try
"?title=Some_Page&action=raw&ctype=text/css"

At least it'll stay in-browser and not prompt you to download the thing.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL