Page MenuHomePhabricator

EditPage: Strange "previewonfirst-rawhtml-data-loss-warning"
Closed, ResolvedPublic

Description

I've observed a strange behavior of the EditPage. When $wgRawHtml = true and a user has the option previewonfirst ("Preferences > Editing > Preview > Show preview on first edit") enabled, the wiki displays the session_fail_preview_html message when the user navigates to action=edit. This is due to the logic in [1]. I've examined the program flow and came to the conclusion that in the described scenario $this->mTokenOk can never be true, as no one ever calls $this->tokenOk( $request ). Even if the method would be called no wpEditToken would be available in the request, as it is just a initial call to action=edit.

It occurred in a current REL1_27 code base, but logic in HEAD seems not to be very different, so the issue might still be there.

[1] https://github.com/wikimedia/mediawiki/blob/fd6e9ef2d481209b01fa6e1bb1c863b8257f0272/includes/EditPage.php#L3820

Event Timeline

Osnard created this task.Aug 2 2017, 8:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2017, 8:19 AM
Legoktm claimed this task.Sep 23 2017, 9:07 PM
Legoktm added a subscriber: Legoktm.

The best solution here is to just disable preview on open if $wgRawHtml is enabled. The request has to be posted with a token to avoid XSS issues.

Change 380057 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] EditPage: Disable preview on open if $wgRawHtml is enabled

https://gerrit.wikimedia.org/r/380057

Change 380057 merged by jenkins-bot:
[mediawiki/core@master] EditPage: Disable preview on open if $wgRawHtml is enabled

https://gerrit.wikimedia.org/r/380057

Jdforrester-WMF closed this task as Resolved.Sep 25 2017, 3:11 PM
Jdforrester-WMF removed a project: Patch-For-Review.