Page MenuHomePhabricator
Create Task
Maniphest T154891

Several of the wikieditor-toolbar-* messages are used as raw html
Closed, ResolvedPublic
Actions

Description

Not a big deal, but several of the wikieditor-toolbar- (E.g. wikieditor-toolbar-group-format, wikieditor-toolbar-help-heading-description, etc) group of messages are used as raw html. Since this is unnecessary, it would be nice if we could change this to not treat the messages as raw html.

Details

SubjectRepoBranchLines +/-
Stop using autoMsg and use mw.messages directly insteadmediawiki/extensions/WikiEditormaster+387 -324
Remove use of autoMsg in favour of using mw.message directlymediawiki/extensions/CodeEditormaster+7 -7
Remove reliance on WikiEditor's autoMsg functionmediawiki/extensions/ProofreadPagemaster+4 -4
Remove use of autoMsg in favour of using mw.message directlymediawiki/extensions/Citemaster+5 -5
Remove reliance on WikiEditor's autoMsg functionmediawiki/extensions/TemplateWizardmaster+1 -1
Remove reliance on WikiEditor's autoMsg functionmediawiki/extensions/SVGEditmaster+1 -1
Fork autoMsg() with escaped autoSafeMsg(), replace where appropriatemediawiki/extensions/WikiEditormaster+47 -4
Escape messages appropriately and not use raw htmlmediawiki/extensions/WikiEditormaster+2 -2
Convert raw html messages to normal messagesmediawiki/extensions/WikiEditormaster+21 -21
Customize query in gerrit

Related Objects

Event Timeline

Bawolff created this task.Jan 9 2017, 6:56 AM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptJan 9 2017, 6:56 AM
DatGuy triaged this task as Lowest priority.Jan 9 2017, 3:11 PM
DatGuy subscribed.

Hey, I'd be interested in working on this since this *should* be easy. Do you mean in the i18n file?

DatGuy added a comment.Jan 9 2017, 4:01 PM
This comment was removed by DatGuy.
gerritbot subscribed.Jan 9 2017, 4:35 PM

Change 331334 had a related patch set uploaded (by DatGuy):
Convert raw html messages to normal messages

https://gerrit.wikimedia.org/r/331334

gerritbot added a project: Patch-For-Review.Jan 9 2017, 4:35 PM
gerritbot added a comment.Mar 15 2017, 3:45 PM

Change 331334 abandoned by DatGuy:
Convert raw html messages to normal messages

Reason:
After rereviewing this, I believe this is too difficult for me and I do not have the time. Thanks anyways.

https://gerrit.wikimedia.org/r/331334

DatGuy removed a project: Patch-For-Review.Mar 15 2017, 3:45 PM
gerritbot added a comment.Jan 22 2018, 4:00 PM

Change 405729 had a related patch set uploaded (by D3r1ck01; owner: Alangi Derick):
[mediawiki/extensions/WikiEditor@master] Add support for use of JavaScript Messages API

https://gerrit.wikimedia.org/r/405729

gerritbot added a project: Patch-For-Review.Jan 22 2018, 4:00 PM
gerritbot added a comment.Jan 22 2018, 7:26 PM

Change 405729 merged by jenkins-bot:
[mediawiki/extensions/WikiEditor@master] Escape messages appropriately and not use raw html

https://gerrit.wikimedia.org/r/405729

xSavitar closed this task as Resolved.Jan 22 2018, 7:32 PM
xSavitar claimed this task.
xSavitar added a project: Africa-Wikimedia-Developers.
xSavitar moved this task from Backlog to Technical Tasks (Completed) on the Africa-Wikimedia-Developers board.
ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-02-06 (1.31.0-wmf.20)).Jan 22 2018, 8:00 PM
Fomafix reopened this task as Open.Jan 22 2018, 8:30 PM
Fomafix subscribed.

Reopened. There are still some system messages that allow HTML and JavaScript injections for users with rights to edit the system messages. For example the message wikieditor-toolbar-help-heading-description.

xSavitar moved this task from Technical Tasks (Completed) to Tasks in progress (Doing) on the Africa-Wikimedia-Developers board.Jan 23 2018, 3:56 AM
xSavitar removed xSavitar as the assignee of this task.Jan 25 2018, 12:11 PM
xSavitar subscribed.

@Fomafix, maybe you could throw more lights? Maybe an example? I can work on this but will need to understand what you mean. Also, if possible, can you update the task description?

Fomafix added a comment.Jan 25 2018, 1:37 PM

Steps to reproduce:

  • Open index.php?title=MediaWiki:Wikieditor-toolbar-help-heading-description&action=edit with an user which has the rights to edit this system message.
  • Insert <i onmouseover="alert('JS injection')">Description</i>.
  • Maybe clear any caches (Shift+Ctrl+R).
  • Hover over the Description in the Help menu.
TheDJ subscribed.Jan 25 2018, 9:28 PM

Note that this is likely partially intentional. The dialog config specifically uses the key: "htmlMsg" for these descriptions. That means that likely in some conditions it is expected to actually be HTML. Now getting rid of those expectations might be possible, but I suspect some of it is a bit complicated.

Finding the actual messages (see i18n/en.json) that have this problem should be the first step:
I think that none of the -description ones, actually require HTML (though there are ones with html entities in it that need to be re-encoded/rewritten).

The true purpose is probably the -result messages, which seem to give language specific preview renderings of wikicode syntax. These will need to be separated in the wikieditor logic and be handled separately from the -description and -syntax message. In theory you could replace them with HTML templates and then make those translatable. a bit more work than most cases of these raw html issues.

Fomafix added a comment.Jan 26 2018, 2:24 PM

htmlMsg and textMsg have the same behavior and outputs the raw system message. From security point of view it does not matter if one, some or all messages allow to inject JavaScript code.

xSavitar added a comment.Jan 26 2018, 2:34 PM

@Fomafix, I see that this method defintion wraps the messages in the appropriate message API functions so as not to use raw html messages. Maybe what you are saying is different from this? Or is it related?

xSavitar moved this task from Tasks in progress (Doing) to New Contributor's Tasks (Incoming) on the Africa-Wikimedia-Developers board.Jan 27 2018, 5:37 PM
xSavitar removed projects: MW-1.31-release-notes (WMF-deploy-2018-02-06 (1.31.0-wmf.20)), Patch-For-Review.Jan 27 2018, 5:45 PM
Fomafix added a comment.Jan 27 2018, 5:49 PM

autoMsg does not specify if the output contains safe HTML or if the output contains raw text that has to be HTML encoded. It is used for both ways.

PeterBowman subscribed.Feb 10 2018, 7:35 PM
gerritbot added a comment.Sep 6 2018, 12:25 AM

Change 458307 had a related patch set uploaded (by Brian Wolff; owner: Jforrester):
[mediawiki/extensions/WikiEditor@master] Fork autoMsg() with escaped autoSafeMsg(), replace where appropriate

https://gerrit.wikimedia.org/r/458307

gerritbot added a project: Patch-For-Review.Sep 6 2018, 12:25 AM
xSavitar removed a project: Africa-Wikimedia-Developers.Sep 30 2018, 3:56 PM
gerritbot added a comment.Oct 12 2018, 6:27 PM

Change 458307 merged by jenkins-bot:
[mediawiki/extensions/WikiEditor@master] Fork autoMsg() with escaped autoSafeMsg(), replace where appropriate

https://gerrit.wikimedia.org/r/458307

Tgr closed this task as Resolved.Oct 12 2018, 6:31 PM
Tgr assigned this task to Jdforrester-WMF.
ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-10-16 (1.32.0-wmf.26)).Oct 12 2018, 7:00 PM
happy5214 moved this task from Backlog to Closed on the WikiEditor board.Aug 4 2019, 11:35 AM
Maintenance_bot removed a project: Patch-For-Review.Aug 4 2019, 12:12 PM
Ricordisamoa subscribed.Feb 5 2020, 6:15 PM
gerritbot added a comment.Jun 29 2023, 11:11 PM

Change 934416 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/WikiEditor@master] Stop using autoMsg and use mw.messages directly instead

https://gerrit.wikimedia.org/r/934416

gerritbot added a project: Patch-For-Review.Jun 29 2023, 11:11 PM
jhsoby reopened this task as Open.Jun 29 2023, 11:12 PM
jhsoby subscribed.

I have uploaded a patch to try to fix the root cause of this by replacing all occurences of the autoMsg function with direct uses of mw.message instead. Hopefully the autoMsg and autoSafeMsg functions can be removed altogether in a follow-up patch.

gerritbot added a comment.Jun 29 2023, 11:17 PM

Change 934421 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/Cite@master] Remove use of autoMsg in favour of using mw.message directly

https://gerrit.wikimedia.org/r/934421

gerritbot added a comment.Jun 30 2023, 4:39 PM

Change 934421 merged by jenkins-bot:

[mediawiki/extensions/Cite@master] Remove use of autoMsg in favour of using mw.message directly

https://gerrit.wikimedia.org/r/934421

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.16; 2023-07-04).Jun 30 2023, 5:00 PM
gerritbot added a comment.Jun 30 2023, 6:40 PM

Change 934598 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/CodeEditor@master] Remove use of autoMsg in favour of using mw.message directly

https://gerrit.wikimedia.org/r/934598

gerritbot added a comment.Jun 30 2023, 7:00 PM

Change 934599 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/ProofreadPage@master] Remove reliance on WikiEditor's autoMsg function

https://gerrit.wikimedia.org/r/934599

gerritbot added a comment.Jun 30 2023, 7:05 PM

Change 934600 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/SVGEdit@master] Remove reliance on WikiEditor's autoMsg function

https://gerrit.wikimedia.org/r/934600

gerritbot added a comment.Jun 30 2023, 7:12 PM

Change 934601 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/TemplateWizard@master] Remove reliance on WikiEditor's autoMsg function

https://gerrit.wikimedia.org/r/934601

jhsoby moved this task from Closed to Doing on the WikiEditor board.Jun 30 2023, 7:13 PM
gerritbot added a comment.Jul 1 2023, 3:52 AM

Change 934599 merged by jenkins-bot:

[mediawiki/extensions/ProofreadPage@master] Remove reliance on WikiEditor's autoMsg function

https://gerrit.wikimedia.org/r/934599

matmarex subscribed.Jul 4 2023, 11:03 PM
gerritbot added a comment.Jul 4 2023, 11:03 PM

Change 934601 merged by jenkins-bot:

[mediawiki/extensions/TemplateWizard@master] Remove reliance on WikiEditor's autoMsg function

https://gerrit.wikimedia.org/r/934601

gerritbot added a comment.Jul 4 2023, 11:03 PM

Change 934600 merged by jenkins-bot:

[mediawiki/extensions/SVGEdit@master] Remove reliance on WikiEditor's autoMsg function

https://gerrit.wikimedia.org/r/934600

ReleaseTaggerBot edited projects, added MW-1.41-notes (1.41.0-wmf.17; 2023-07-11); removed MW-1.41-notes (1.41.0-wmf.16; 2023-07-04).Jul 5 2023, 1:00 AM
gerritbot added a comment.Jul 5 2023, 3:17 PM

Change 934598 merged by jenkins-bot:

[mediawiki/extensions/CodeEditor@master] Remove use of autoMsg in favour of using mw.message directly

https://gerrit.wikimedia.org/r/934598

gerritbot added a comment.Jul 6 2023, 4:16 PM

Change 934416 merged by jenkins-bot:

[mediawiki/extensions/WikiEditor@master] Stop using autoMsg and use mw.messages directly instead

https://gerrit.wikimedia.org/r/934416

Maintenance_bot removed a project: Patch-For-Review.Jul 6 2023, 4:31 PM
matmarex closed this task as Resolved.Jul 6 2023, 5:37 PM
matmarex reassigned this task from Jdforrester-WMF to jhsoby.
matmarex added a subscriber: Jdforrester-WMF.

Resolved for the third time. This solution is more thorough, and hopefully it's the last one for this task. ;)

happy5214 moved this task from Doing to Closed on the WikiEditor board.Jul 31 2023, 9:53 PM
jhsoby mentioned this in T353393: Request to add jhsoby to WMF-NDA group.Dec 13 2023, 10:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL