Page MenuHomePhabricator

EditFilter hook for preview
Open, LowPublic

Description

Author: eisenstein

Description:
It would be enormously helpful to have the EditFilter hook called when rendering a preview. It should not be possible to preview a page with content that will be rejected on save. This can help prevent remote exploits. Additionally, several page security extensions are vulnerable to someone inserting a transclusion to a protected page -- this can be prevented using an EditFilter hook, but it seems no such hook is available for previewing. This would take care of that with a simple change.


Version: 1.13.x
Severity: normal

Details

Reference
bz15654

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:17 PM
bzimport set Reference to bz15654.
bzimport added a subscriber: Unknown Object (MLST).

eisenstein wrote:

I was able to get all the functionality I needed by adding the hook in EditPage::getPreviewText(), right before it sets up the text to parse. This lets me edit text (for instance, to sanitize input) before previewing. If this is not the best way to get this functionality, something else to get something similar would be very much appreciated.

                if ( $this->isCssJsSubpage ) {
                        if(preg_match("/\\.css$/", $this->mTitle->getText() ) ) {
                                $previewtext = wfMsg('usercsspreview');
                        } else if(preg_match("/\\.js$/", $this->mTitle->getText() ) ) {
                                $previewtext = wfMsg('userjspreview');
                        }
                        $parserOptions->setTidy(true);
                        $parserOutput = $wgParser->parse( $previewtext , $this->mTitle, $parserOptions );
                        $wgOut->addHTML( $parserOutput->mText );
                        $previewHTML = '';
                } else {
                       
		 # Preview Protection change here
                        wfRunHooks( 'EditFilter', array( $this, $this->textbox1, $this->section, &$this->hookError, $this->summary ) );

                        $toparse = $this->textbox1;

                        # If we're adding a comment, we need to show the
                        # summary as the headline
                        if($this->section=="new" && $this->summary!="") {
                                $toparse="== {$this->summary} ==\n\n".$toparse;
                        }

                        if ( $this->mMetaData != "" ) $toparse .= "\n" . $this->mMetaData;

(In reply to Jonathan Eisenstein from comment #1)

I was able to get all the functionality I needed by adding the hook in
EditPage::getPreviewText(), right before it sets up the text to parse.

Hi Jonathan! Sorry that nobody has taken a look at this report yet and given feedback.
If you feel like turning your code improvement into a patch, you are welcome to use Developer access

https://www.mediawiki.org/wiki/Developer_access

to submit this as a Git branch directly into Gerrit:

https://www.mediawiki.org/wiki/Git/Tutorial

Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use https://tools.wmflabs.org/gerrit-patch-uploader/