Page MenuHomePhabricator

CharInsert does not work anymore on dewikisource
Closed, ResolvedPublic

Description

Since more than a week the insertion of special characters via the CharInsert bar (the lower one with the combobox with Standard, ... at the beginning) does not work anymore on German Wikisource. Instead of inserting the selected character the position of the page jumps to the top. The issue can be reproduced on several browsers and operating systesms. Very likely this is connected to T86715.

Example: https://de.wikisource.org/w/index.php?title=Seite:Edith_Stein_-_Welt_und_Person.pdf/148&action=edit (as logged in user)

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJun 16 2016, 11:08 AM
Aschroet renamed this task from Char insert does not work anymore on dewikisource to CharInsert does not work anymore on dewikisource.Jun 16 2016, 11:08 AM
Aschroet updated the task description. (Show Details)

Just a guess: MediaWiki:Onlyifediting.js needs to be fixed for a recent change in the <charinsert> extension, see https://lists.wikimedia.org/pipermail/wikitech-ambassadors/2016-May/001417.html.

Kghbln added a subscriber: Kghbln.EditedJun 16 2016, 2:36 PM

Probably documenting this somehow on MediaWiki.org will also do a world of good since it is also a extremely popular extension with non WMF wikis according to WikiApiary.

Probably documenting this somehow on MediaWiki.org will also do a world of good since it is also a extremely popular extension with non WMF wikis according to WikiApiary.

It'd only apply if they also copied really old versions of wikipedia javascript.

Bawolff set Security to Software security bug.Jun 16 2016, 8:59 PM
Bawolff added a project: Security.
Bawolff changed the visibility from "Public (No Login Required)" to "Custom Policy".

the [[s:de:mediawiki:OnlyIfEditing.js]] is full of Cross-site-scripting vulnerabilities.

It'd only apply if they also copied really old versions of wikipedia javascript.

Ah ok and thanks for clarifying! Did some fluff to the extension's page but I basically just expanded the info in the extensions box.

Kghbln removed a subscriber: Kghbln.Jun 21 2016, 7:24 AM

@Bawolff: Are you going to repair the errors?

Yes I am. Sorry for the delay. I havent had a chance to look at it in detail and The script is more complicated then the ones other wikis use

Hmm. https://de.wikisource.org/wiki/MediaWiki:ExternImage.js is also a violation of the privacy policy (Loading external images gives info to third parties), and also an xss via javascript: urls

Don't suppose we could just delete a good portion of the site js on dewikisource...?

dpatrick triaged this task as High priority.Jun 21 2016, 8:20 PM
dpatrick added a project: Vuln-XSS.
THE_IT claimed this task.Jun 27 2016, 6:50 AM

How can we help. We need the tool running again.

Restricted Application removed a subscriber: Zppix. · View Herald TranscriptJun 27 2016, 6:50 AM

My apologies for taking so long to respond.

@THE_IT, can you make the changes suggested at https://de.wikisource.org/wiki/MediaWiki_Diskussion:Onlyifediting.js#Fixes_for_charinsert_changes.

@Bawolff, we applied the fix which solved the initial issue. Thank you. According to the CSS vulnerabilities, let us know if you need support from our side.

RobLa-WMF added a subscriber: RobLa-WMF.EditedJul 8 2016, 8:37 PM

Hmm. https://de.wikisource.org/wiki/MediaWiki:ExternImage.js is also a violation of the privacy policy (Loading external images gives info to third parties), and also an xss via javascript: urls

@Aschroet and @THE_IT, the ExternImage.js script seems to be a pretty big problem. Loading images from an external site without the user's consent is a violation of our privacy policy. In particular, we need to clearly inform everyone which third parties are getting any information the external image hosting service is getting (see "When we may share" in our privacy policy).

How exactly is ExternImage.js being used?

We will trigger a request for deletion of https://de.wikisource.org/wiki/Vorlage:ExtImage. This should be the only template which uses the vulnerable code.

We will trigger a request for deletion of https://de.wikisource.org/wiki/Vorlage:ExtImage

Deletion has been proposed in https://de.wikisource.org/wiki/Vorlage:ExtImage , decision after four weeks.

Deletion has been proposed in https://de.wikisource.org/wiki/Vorlage:ExtImage , decision after four weeks.

I pinged on https://de.wikisource.org/wiki/Wikisource:L%C3%B6schkandidaten#Vorlage:ExtImage whether there are any news.

problematic code was deleted

Bawolff closed this task as Resolved.Sep 13 2016, 3:49 AM

problematic code was deleted

Thanks :)

I am closing this bug and making it public.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 13 2016, 3:50 AM
Bawolff changed Security from Software security bug to None.