Not a big deal, but several of the wikieditor-toolbar- (E.g. wikieditor-toolbar-group-format, wikieditor-toolbar-help-heading-description, etc) group of messages are used as raw html. Since this is unnecessary, it would be nice if we could change this to not treat the messages as raw html.
Description
Details
Related Objects
- Mentioned In
- T353393: Request to add jhsoby to WMF-NDA group
Event Timeline
Hey, I'd be interested in working on this since this *should* be easy. Do you mean in the i18n file?
Change 331334 had a related patch set uploaded (by DatGuy):
Convert raw html messages to normal messages
Change 331334 abandoned by DatGuy:
Convert raw html messages to normal messages
Reason:
After rereviewing this, I believe this is too difficult for me and I do not have the time. Thanks anyways.
Change 405729 had a related patch set uploaded (by D3r1ck01; owner: Alangi Derick):
[mediawiki/extensions/WikiEditor@master] Add support for use of JavaScript Messages API
Change 405729 merged by jenkins-bot:
[mediawiki/extensions/WikiEditor@master] Escape messages appropriately and not use raw html
Reopened. There are still some system messages that allow HTML and JavaScript injections for users with rights to edit the system messages. For example the message wikieditor-toolbar-help-heading-description.
@Fomafix, maybe you could throw more lights? Maybe an example? I can work on this but will need to understand what you mean. Also, if possible, can you update the task description?
Steps to reproduce:
- Open index.php?title=MediaWiki:Wikieditor-toolbar-help-heading-description&action=edit with an user which has the rights to edit this system message.
- Insert <i onmouseover="alert('JS injection')">Description</i>.
- Maybe clear any caches (Shift+Ctrl+R).
- Hover over the Description in the Help menu.
Note that this is likely partially intentional. The dialog config specifically uses the key: "htmlMsg" for these descriptions. That means that likely in some conditions it is expected to actually be HTML. Now getting rid of those expectations might be possible, but I suspect some of it is a bit complicated.
Finding the actual messages (see i18n/en.json) that have this problem should be the first step:
I think that none of the -description ones, actually require HTML (though there are ones with html entities in it that need to be re-encoded/rewritten).
The true purpose is probably the -result messages, which seem to give language specific preview renderings of wikicode syntax. These will need to be separated in the wikieditor logic and be handled separately from the -description and -syntax message. In theory you could replace them with HTML templates and then make those translatable. a bit more work than most cases of these raw html issues.
htmlMsg and textMsg have the same behavior and outputs the raw system message. From security point of view it does not matter if one, some or all messages allow to inject JavaScript code.
@Fomafix, I see that this method defintion wraps the messages in the appropriate message API functions so as not to use raw html messages. Maybe what you are saying is different from this? Or is it related?
autoMsg does not specify if the output contains safe HTML or if the output contains raw text that has to be HTML encoded. It is used for both ways.
Change 458307 had a related patch set uploaded (by Brian Wolff; owner: Jforrester):
[mediawiki/extensions/WikiEditor@master] Fork autoMsg() with escaped autoSafeMsg(), replace where appropriate
Change 458307 merged by jenkins-bot:
[mediawiki/extensions/WikiEditor@master] Fork autoMsg() with escaped autoSafeMsg(), replace where appropriate
Change 934416 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):
[mediawiki/extensions/WikiEditor@master] Stop using autoMsg and use mw.messages directly instead
I have uploaded a patch to try to fix the root cause of this by replacing all occurences of the autoMsg function with direct uses of mw.message instead. Hopefully the autoMsg and autoSafeMsg functions can be removed altogether in a follow-up patch.
Change 934421 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):
[mediawiki/extensions/Cite@master] Remove use of autoMsg in favour of using mw.message directly
Change 934421 merged by jenkins-bot:
[mediawiki/extensions/Cite@master] Remove use of autoMsg in favour of using mw.message directly
Change 934598 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):
[mediawiki/extensions/CodeEditor@master] Remove use of autoMsg in favour of using mw.message directly
Change 934599 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):
[mediawiki/extensions/ProofreadPage@master] Remove reliance on WikiEditor's autoMsg function
Change 934600 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):
[mediawiki/extensions/SVGEdit@master] Remove reliance on WikiEditor's autoMsg function
Change 934601 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):
[mediawiki/extensions/TemplateWizard@master] Remove reliance on WikiEditor's autoMsg function
Change 934599 merged by jenkins-bot:
[mediawiki/extensions/ProofreadPage@master] Remove reliance on WikiEditor's autoMsg function
Change 934601 merged by jenkins-bot:
[mediawiki/extensions/TemplateWizard@master] Remove reliance on WikiEditor's autoMsg function
Change 934600 merged by jenkins-bot:
[mediawiki/extensions/SVGEdit@master] Remove reliance on WikiEditor's autoMsg function
Change 934598 merged by jenkins-bot:
[mediawiki/extensions/CodeEditor@master] Remove use of autoMsg in favour of using mw.message directly
Change 934416 merged by jenkins-bot:
[mediawiki/extensions/WikiEditor@master] Stop using autoMsg and use mw.messages directly instead
Resolved for the third time. This solution is more thorough, and hopefully it's the last one for this task. ;)