Page MenuHomePhabricator

Fix unexcepted HTML escaping in QuestyCaptcha.
Closed, ResolvedPublic

Description

HTML-based questions (e.g. images) will not work well with QuestyCaptcha on MediaWiki 1.27 due to an unexcepted HTML escape. This commit fixes the issue by declaring raw HTML form mode, just like MathCaptcha.

https://gerrit.wikimedia.org/r/#/c/314236/

Event Timeline

Restricted Application added subscribers: Florian, Aklapper. · View Herald Transcript

Change 314236 had a related patch set uploaded (by Ben.imbushuo):
Fixing unexcepted HTML escaping in QuestyCaptcha.

https://gerrit.wikimedia.org/r/314236

I'm not sure, if "QuestyCaptcha", by it's definition, should allow HTML in questions, why would you want to do that? :)

I'm not sure, if "QuestyCaptcha", by it's definition, should allow HTML in questions, why would you want to do that? :)

Yes, it should allow HTML in questions. QuestyCaptcha doesn't declare the capability of RAW HTML output, but prior to 1.27 HTML-based question works. In MediaWiki 1.27+, QuestyCaptcha with HTML-based questions fails to present excepted HTML content in user registration page as it is force escaped (please see the screenshot below). AFAIK, it still works on other pages (e.g. edit page)

Unexcepted Escape.PNG (348×860 px, 40 KB)

I believe more than one MediaWiki sites, including https://zh.moegirl.org (Moegirlpedia) utilize HTML-based questions in production, a discussion thread called Allow HTML in $wgCaptchaQuestions at https://www.mediawiki.org/wiki/Extension_talk:ConfirmEdit can prove that.

This changeset addresses the issue by declaring RAW HTML output capability in captchaInfo form descriptor and correcting MIME type to text/html in captcha metadata. Other ConfirmEdit captcha providers, for instance, MathCaptcha, has already declared RAW HTML output and correct MIME type (text/html) in its form descriptor and metadata. (https://github.com/wikimedia/mediawiki-extensions-ConfirmEdit/blob/master/MathCaptcha/MathCaptcha.class.php, Line 85 and Line 24)

Best Regards,
Bingxing Wang (Ben)

Florian assigned this task to imbushuo.
Florian triaged this task as Medium priority.

Ok, thanks for clarification! As HTML was allowed in REL1_26 and earlier, I merged the change (even if I think, that a question shouldn't contain HTML, but ok :)) to restrore the status quo :) Thanks for reporting this and submitting a patch!

Change 314236 merged by jenkins-bot:
Fixing unexcepted HTML escaping in QuestyCaptcha.

https://gerrit.wikimedia.org/r/314236

Change 363616 had a related patch set uploaded (by Florianschmidtwelzow; owner: Ben.imbushuo):
[mediawiki/extensions/ConfirmEdit@REL1_27] Fixing unexcepted HTML escaping in QuestyCaptcha.

https://gerrit.wikimedia.org/r/363616

Change 363616 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@REL1_27] Fixing unexcepted HTML escaping in QuestyCaptcha.

https://gerrit.wikimedia.org/r/363616