Page MenuHomePhabricator

Security review for CodeMirror extension branch master
Closed, ResolvedPublic


Project Information

Description of the tool/project

CodeMirror is a syntax highlighting engine for programming languages. The MediaWiki CodeMirror extension is specifically for highlighting WikiText.

Description of how the tool will be used at WMF

It will be an opt-in (at least initially) add-on for the WikiText editing interface. Once enabled, it will add a new button to the editing toolbar. Clicking the button will activate syntax highlighting for the editor (i.e. existing and newly entered text will be color-coded based on syntax).


  • CodeMirror library. Note that only a small portion of the 3rd party CodeMirror library is actually used by the CodeMirror extension:
    • lib/codemirror/addon/selection/active-line.js
    • lib/codemirror/lib/codemirror.js
    • various CSS files (probably not relevant for security review)

Has this project been reviewed before?


Working test environment

Currently set up at You can test at You will need to have an account and be logged in. Once you are in the editor, click the rainbox-colored button in the toolbar.


Community Tech will be responsible for the project after deployment.

Event Timeline

Florian created this task.Aug 11 2015, 2:36 PM
Florian claimed this task.
Florian removed Florian as the assignee of this task.
Florian raised the priority of this task from to Needs Triage.
Florian updated the task description. (Show Details)
Florian added a project: Security-Team.
Florian set Security to None.
Florian added subscribers: Pastakhov, Legoktm, Niharika and 12 others.

Hi Florian, where and when are you looking to get this deployed?

Hi Florian, where and when are you looking to get this deployed?

-> Blocks: T95041: Deploy CodeMirror extension to beta cluster

@csteipp: @Aklapper pointed you to the right task (thanks!), does it answer your question? If not, or if you need more information, I will support you as much as possible :]

@csteipp: Still in discussions with Editing team, TCB team, and Community Liaisons about the potential of deploying CodeMirror, so security review is not pressing.

Krenair triaged this task as Low priority.Aug 12 2015, 5:38 PM

Looks like we won't be deploying this to Wikimedia wikis (see T95041). Not sure if that means it should be marked as declined though (since someone else could still do a security review of it for the benefit of 3rd party wikis).

greg lowered the priority of this task from Low to Lowest.Aug 20 2015, 9:49 PM

Per the Community Wishlist Survey results, we would like to deploy the CodeMirror extension to Beta Labs for performance and compatibility testing in order to evaluate whether it might be a viable option for syntax highlighting.

kaldari raised the priority of this task from Lowest to Medium.Dec 16 2016, 7:32 PM
kaldari added a project: Community-Tech.
kaldari lowered the priority of this task from Medium to Low.Dec 16 2016, 11:26 PM

Still unlikely to get deployed to Beta Cluster any time soon, so moving to Low priority.

@kaldari To clarify, what's the status of this bug? Perhaps it should be closed, and someone could file a new bug if/when people actual intend to use this extension.

@Bawolff: Actually, this is back on the table. We talked with the Editing Team about using CodeMirror for the old WikiText editor (and emulating the same highlighting style in the new WikiText editor) and they were receptive to the idea (on the condition that it be an opt-in feature). The only person we're still waiting to hear back from is Ed Sanders, but he seems to be AWOL at the moment. I'll post an update as soon as we talk to him.

Also examples of how to highlighting style in the new WikiText editor would be very helpful.

DannyH renamed this task from Security review of for CodeMirror extension branch master to Security review for CodeMirror extension branch master.Mar 21 2017, 10:20 PM
DannyH raised the priority of this task from Low to Medium.
DannyH added a subscriber: DannyH.

After talking with the VE team, we're interested in moving forward with this. We'd appreciate a security review. Thanks!

Niharika added a comment.EditedMar 21 2017, 11:15 PM

@Pastakhov Some screenshots of the current styles:

We're hoping to get a designer to look at these soon.

@Pastakhov, @Bawolff: We met with @Esanders. We're now investigating the possibility of integrating CodeMirror with the new WikiText editor rather than emulating it. (See T161052 and T161054.) We currently have no blockers for implementing this as an opt-in feature in the old WikiText editor besides security and design reviews.

Qgil removed a subscriber: Qgil.Mar 22 2017, 2:21 PM

@kaldari, can you update the description of this ticket and add the info requested at Once that's done, I'll get this scheduled.

kaldari updated the task description. (Show Details)Mar 22 2017, 11:46 PM
kaldari updated the task description. (Show Details)

@dpatrick: Description updated. Let me know if you need any other info. Thanks!

kaldari updated the task description. (Show Details)Mar 27 2017, 2:16 AM
kaldari updated the task description. (Show Details)
Reedy added a subscriber: Reedy.Apr 4 2017, 12:18 AM

PHP code is fine

CodeMirror extension is another candidate for T107561

Gilles added a subscriber: Gilles.Aug 9 2017, 5:09 PM

What's the status of this security review? It's my understanding that this extension was briefly deployed to all wikis as a beta feature and should be back soon.

Yeah, I'm a little unclear on that myself. Reedy reviewed the PHP code back in April. There's some JS code in the extension that should be reviewed as well, though:

  • resources/ext.CodeMirror.js
  • resources/mode/mediawiki.js
  • stuff in resources/modules/ve-cm

@dpatrick marked this as "In Progress" back in May, but I haven't heard anything since then. It's definitely ready to deploy, so is there any way to get this wrapped up soon?

Hi, we're hoping to get this extension out this week/early next week. Can we get this reviewed soon? Ping @dpatrick

Reedy added a comment.Aug 21 2017, 7:38 PM

Side point, it may be worth swapping codemirror to 5.25.2 from 5.25.0.

I don't see any specific security/performance fixes at all, never mind any relevant. Some crash fixes in 5.27.*, but they shouldn't be appropriate. No obvious reason to bump to 5.28.0 at this junction, but I'm guessing you'll do that as a matter of course anyway for other bug fixes, features et al.

(Though Fix infinite loop in forced display update. in 5.27.0 does seem interesting :P)

Sorry for the delay in this, never really got finished. Many other stuff going on and around.

I don't see anything obviously blocking this being further deployed on WMF wikis

Reedy closed this task as Resolved.Aug 25 2017, 6:39 PM
Reedy claimed this task.
Restricted Application added a subscriber: jeblad. · View Herald TranscriptAug 25 2017, 6:39 PM