Page MenuHomePhabricator
Create Task
Maniphest T172251

EditPage: Strange "previewonfirst-rawhtml-data-loss-warning"
Closed, ResolvedPublic
Actions

Description

I've observed a strange behavior of the EditPage. When $wgRawHtml = true and a user has the option previewonfirst ("Preferences > Editing > Preview > Show preview on first edit") enabled, the wiki displays the session_fail_preview_html message when the user navigates to action=edit. This is due to the logic in [1]. I've examined the program flow and came to the conclusion that in the described scenario $this->mTokenOk can never be true, as no one ever calls $this->tokenOk( $request ). Even if the method would be called no wpEditToken would be available in the request, as it is just a initial call to action=edit.

It occurred in a current REL1_27 code base, but logic in HEAD seems not to be very different, so the issue might still be there.

[1] https://github.com/wikimedia/mediawiki/blob/fd6e9ef2d481209b01fa6e1bb1c863b8257f0272/includes/EditPage.php#L3820

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
EditPage: Disable preview on open if $wgRawHtml is enabledmediawiki/coremaster+8 -1
Customize query in gerrit

Event Timeline

Osnard created this task.Aug 2 2017, 8:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2017, 8:19 AM
Aklapper added a project: MediaWiki-Page-editing.Aug 2 2017, 12:07 PM
Legoktm claimed this task.Sep 23 2017, 9:07 PM
Legoktm subscribed.

The best solution here is to just disable preview on open if $wgRawHtml is enabled. The request has to be posted with a token to avoid XSS issues.

gerritbot subscribed.Sep 23 2017, 9:07 PM

Change 380057 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] EditPage: Disable preview on open if $wgRawHtml is enabled

https://gerrit.wikimedia.org/r/380057

gerritbot added a project: Patch-For-Review.Sep 23 2017, 9:08 PM
gerritbot added a comment.Sep 25 2017, 3:07 PM

Change 380057 merged by jenkins-bot:
[mediawiki/core@master] EditPage: Disable preview on open if $wgRawHtml is enabled

https://gerrit.wikimedia.org/r/380057

Jdforrester-WMF closed this task as Resolved.Sep 25 2017, 3:11 PM
Jdforrester-WMF removed a project: Patch-For-Review.
ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-09-26 (1.31.0-wmf.1)).Sep 25 2017, 4:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits