Page MenuHomePhabricator
Create Task
Maniphest T17654

EditFilter hook for preview
Open, LowPublicFeature
Actions

Description

Author: eisenstein

Description:
It would be enormously helpful to have the EditFilter hook called when rendering a preview. It should not be possible to preview a page with content that will be rejected on save. This can help prevent remote exploits. Additionally, several page security extensions are vulnerable to someone inserting a transclusion to a protected page -- this can be prevented using an EditFilter hook, but it seems no such hook is available for previewing. This would take care of that with a simple change.

Version: 1.13.x
Severity: normal

Details

Reference
bz15654

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:17 PM
bzimport added a project: MediaWiki-Page-editing.
bzimport set Reference to bz15654.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 20 2008, 7:39 AM
bzimport added a comment.Sep 22 2008, 1:44 AM

eisenstein wrote:

I was able to get all the functionality I needed by adding the hook in EditPage::getPreviewText(), right before it sets up the text to parse. This lets me edit text (for instance, to sanitize input) before previewing. If this is not the best way to get this functionality, something else to get something similar would be very much appreciated.

                if ( $this->isCssJsSubpage ) {
                        if(preg_match("/\\.css$/", $this->mTitle->getText() ) ) {
                                $previewtext = wfMsg('usercsspreview');
                        } else if(preg_match("/\\.js$/", $this->mTitle->getText() ) ) {
                                $previewtext = wfMsg('userjspreview');
                        }
                        $parserOptions->setTidy(true);
                        $parserOutput = $wgParser->parse( $previewtext , $this->mTitle, $parserOptions );
                        $wgOut->addHTML( $parserOutput->mText );
                        $previewHTML = '';
                } else {
                       
		 # Preview Protection change here
                        wfRunHooks( 'EditFilter', array( $this, $this->textbox1, $this->section, &$this->hookError, $this->summary ) );

                        $toparse = $this->textbox1;

                        # If we're adding a comment, we need to show the
                        # summary as the headline
                        if($this->section=="new" && $this->summary!="") {
                                $toparse="== {$this->summary} ==\n\n".$toparse;
                        }

                        if ( $this->mMetaData != "" ) $toparse .= "\n" . $this->mMetaData;
Aklapper added a comment.Aug 1 2014, 9:07 PM

(In reply to Jonathan Eisenstein from comment #1)

I was able to get all the functionality I needed by adding the hook in
EditPage::getPreviewText(), right before it sets up the text to parse.

Hi Jonathan! Sorry that nobody has taken a look at this report yet and given feedback.
If you feel like turning your code improvement into a patch, you are welcome to use Developer access

https://www.mediawiki.org/wiki/Developer_access

to submit this as a Git branch directly into Gerrit:

https://www.mediawiki.org/wiki/Git/Tutorial

Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use https://tools.wmflabs.org/gerrit-patch-uploader/

DannyS712 added a project: AbuseFilter.Jun 5 2020, 11:53 AM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 15 2022, 10:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL