Page MenuHomePhabricator
Create Task
Maniphest T155216

Wikimarkup is shown as raw text instead of html on marker click for externaldata page
Closed, ResolvedPublic
Actions

Description

https://www.mediawiki.org/wiki/User:Yurik/Bug155216

<mapframe width=500 height=500 latitude=-34 longitude=151 zoom=12>
[{
  "type": "ExternalData",
  "service": "page",
  "title": "Sandbox/Gareth/T7 Olympic Park Line.map"
},
{
  "type": "ExternalData",
  "service": "page",
  "title": "Sandbox/Gareth/T6 Carlingford Line.map"
}]
</mapframe>

Details

SubjectRepoBranchLines +/-
SECURITY: fix XSS in map feature title/descriptionmediawiki/extensions/JsonConfigwmf/1.29.0-wmf.21+40 -3
SECURITY: fix XSS in map feature title/description via tabular datamediawiki/extensions/Kartographerwmf/1.29.0-wmf.21+48 -11
SECURITY: fix XSS in map feature title/description via tabular datamediawiki/extensions/Kartographermaster+48 -11
SECURITY: fix XSS in map feature title/description via tabular datamediawiki/extensions/KartographerREL1_29+48 -11
SECURITY: fix XSS in map feature title/descriptionmediawiki/extensions/JsonConfigREL1_29+40 -3
SECURITY: fix XSS in map feature title/descriptionmediawiki/extensions/JsonConfigmaster+40 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Yurik created this task.Jan 13 2017, 8:24 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 13 2017, 8:24 AM
Yurik updated the task description. (Show Details)Jan 13 2017, 8:27 AM

pasted_file (430×634 px, 285 KB)

Yurik mentioned this in T155601: Stabilizing Interactive Products.Jan 18 2017, 1:52 AM
Yurik added a parent task: T155601: Stabilizing Interactive Products.Jan 18 2017, 1:56 AM
Deskana subscribed.Jan 23 2017, 10:30 PM

Identified as a "must have" in T155601: Stabilizing Interactive Products.

Deskana moved this task from Backlog to To-do on the Maps-Sprint board.Jan 23 2017, 10:51 PM
MaxSem claimed this task.Feb 15 2017, 11:22 PM
MaxSem moved this task from To-do to In progress on the Maps-Sprint board.
MaxSem subscribed.

Question: on which wiki should the wikitext be parsed? Links point to different pages on different wikis, and in Yuri's example some links that attempt to work this around by setting an explicit interwiki prefix might be just rendered as bold text without any linking, depending on which wiki is local: c: on Commons, w: on Wikipedia.

Deskana added a comment.Feb 17 2017, 7:11 PM

tl;dr: Parse the wikitect on Commons.

Here's my full thinking and rationale.

Tabular datasets allow the messages to be localised. So, you could have a message in French which is automatically shown on French sites, an English description which is automatically shown on English sites, and so on. The difficulty is, how wikitext is parsed is dependent on the wiki that the wikitext is parsed on even if the language is the same; the French Wikipedia might have radically different output from the French Wiktionary, for example. Basically, when trying to locally parse this wikitext, all bets are off; this could cause wild and unpredictable behaviour no matter which way you try to do it.

Given the above, we need to parse the wikitext centrally. This causes the output to be the most consistent and most predictable. This would obviously still allow different messages for different languages. Some additional care would have to be taken by users when writing their descriptions so that they make sense on all wikis.

MaxSem mentioned this in T163166: XSS in object descriptions from tabular data.Apr 17 2017, 11:17 PM
gerritbot subscribed.May 2 2017, 9:44 PM

Change 351522 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/extensions/Kartographer@master] SECURITY: fix XSS in map feature title/description via tabular data

https://gerrit.wikimedia.org/r/351522

gerritbot added a project: Patch-For-Review.May 2 2017, 9:44 PM

Change 351523 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/extensions/JsonConfig@master] SECURITY: fix XSS in map feature title/description

https://gerrit.wikimedia.org/r/351523

gerritbot added a comment.May 2 2017, 9:59 PM

Change 351523 merged by jenkins-bot:
[mediawiki/extensions/JsonConfig@master] SECURITY: fix XSS in map feature title/description

https://gerrit.wikimedia.org/r/351523

ReleaseTaggerBot added a project: MW-1.30-release-notes (WMF-deploy-2017-05-09_(1.30.0-wmf.1)).May 2 2017, 10:00 PM
gerritbot added a comment.May 2 2017, 10:11 PM

Change 351522 merged by jenkins-bot:
[mediawiki/extensions/Kartographer@master] SECURITY: fix XSS in map feature title/description via tabular data

https://gerrit.wikimedia.org/r/351522

gerritbot added a comment.May 2 2017, 10:35 PM

Change 351536 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/extensions/JsonConfig@REL1_29] SECURITY: fix XSS in map feature title/description

https://gerrit.wikimedia.org/r/351536

gerritbot added a comment.May 2 2017, 10:36 PM

Change 351538 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/extensions/Kartographer@REL1_29] SECURITY: fix XSS in map feature title/description via tabular data

https://gerrit.wikimedia.org/r/351538

gerritbot added a comment.May 2 2017, 10:45 PM

Change 351536 merged by jenkins-bot:
[mediawiki/extensions/JsonConfig@REL1_29] SECURITY: fix XSS in map feature title/description

https://gerrit.wikimedia.org/r/351536

gerritbot added a comment.May 2 2017, 10:45 PM

Change 351538 merged by jenkins-bot:
[mediawiki/extensions/Kartographer@REL1_29] SECURITY: fix XSS in map feature title/description via tabular data

https://gerrit.wikimedia.org/r/351538

gerritbot added a comment.May 4 2017, 6:28 PM

Change 351916 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/extensions/Kartographer@wmf/1.29.0-wmf.21] SECURITY: fix XSS in map feature title/description via tabular data

https://gerrit.wikimedia.org/r/351916

gerritbot added a comment.May 4 2017, 6:31 PM

Change 351916 merged by jenkins-bot:
[mediawiki/extensions/Kartographer@wmf/1.29.0-wmf.21] SECURITY: fix XSS in map feature title/description via tabular data

https://gerrit.wikimedia.org/r/351916

gerritbot added a comment.May 4 2017, 6:36 PM

Change 351919 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/extensions/JsonConfig@wmf/1.29.0-wmf.21] SECURITY: fix XSS in map feature title/description

https://gerrit.wikimedia.org/r/351919

gerritbot added a comment.May 4 2017, 6:54 PM

Change 351919 merged by jenkins-bot:
[mediawiki/extensions/JsonConfig@wmf/1.29.0-wmf.21] SECURITY: fix XSS in map feature title/description

https://gerrit.wikimedia.org/r/351919

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-04-25_(1.29.0-wmf.21)).May 4 2017, 7:00 PM
MaxSem moved this task from In progress to Needs review on the Maps-Sprint board.May 5 2017, 11:32 PM
gerritbot added a comment.May 6 2017, 11:44 AM

Change 352285 had a related patch set uploaded (by Gergő Tisza; owner: MaxSem):
[mediawiki/extensions/JsonConfig@master] Parse map data on central wiki

https://gerrit.wikimedia.org/r/352285

Deskana added a subscriber: EBernhardson.May 9 2017, 7:25 PM

This bug is partially fixed. Due to the security fix above, the text is now parsed on client wikis. One can see that this is not what we decided to do above, but it was necessary as part of the security fixes.

The solution that @MaxSem proposed above for parsing on central wikis is not without its problems. Max is going to talk to @EBernhardson about this and get his opinion. We can decide what to do then.

Deskana closed this task as Resolved.May 20 2017, 1:54 PM

In the end, the temporary solution was good enough, so this is resolved.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL