Page MenuHomePhabricator
Create Task
Maniphest T183213

Page Forms review checklist
Open, Needs TriagePublic
Actions

Description

The following issues were found in Page Forms by @Bawolff earlier this year. I'm putting them all in one place for convenience.

  • "PF_CreateForm.js" line 4 - The other options ajax is totally broken on Special:CreateForm if the url has a #target fragment in it, like http://localhost:8080/wiki/Special:CreateForm#foo
  • Parts of this extension don't follow MW code style conventions. This doesn't really matter, and its totally reasonable for a third party developed extension to deviate from MW style conventions. However, if you want it consistent with current MW style conventions, you may want to consider enabling phpcs.
  • Some uses of global state seem to assume only one form related page will be parsed in a given request. This is probably true, but not considered a best practise assumption. It would be better to store such state in the Parser object probably.
  • "PF_FormUtils.php" line 233 cancelLinkHTML - Use of $wgTitle is strongly discouraged by modern MediaWiki conventions. The calling function should pass in a title instead.
  • "PF_FormUtils.php" line 235 cancelLinkHTML - It would probably be better to detect MSIE in javascript, since then there is no chance of cache pollution (In the context of a special page, there should be no caching, so its unlikely to be an issue, but client side detection where possible is better).
  • "PF_FormUtils.php" line 235 cancelLinkHTML - Its preferred in modern MediaWiki to not use Javascript: URLs for Javascript, but instead attach the javascript from a RL module. Javascript: urls would break if we ever manage to adopt Content-Security-Policy (In fairness, unlikely to happen any time soon).
  • "PF_Hooks.php" line 45 - Should use $wgExtensionAssetPath
  • "PF_ParserFunctions.php" line 155 - no guarantee that global state corresponds to right page, should be done via RL.
  • "PF_FormUtils.php" line 54 - maxlength=200. Most MW has moved to using jquery.byteLimit so that its exactly 255 UTF-8 bytes.
  • "PF_FormEdit.php" line 145 - $targetTitle might be null. e.g. Special:FormEdit?form=Foo&target=%20
  • Somewhere (not sure where) {{Special:RunQuery}} is calling the parser recurively when its being transcluded. You should use $wgParser->getFreshParser() in such situations to avoid UNIQ-... tags.
  • [Not clear on the impact] "PF_AutocompleteAPI.php" line 316 - $whereStr = "$baseCargoTable.$baseCargoField = \"$baseValue\""; - The lack of escaping $baseValue seems concerning here. My understanding is that its processed by Cargo as untrusted input so this doesn't represent a security issue, but nonetheless, this seems kind of sketchy.
  • "PF_CreatePageJob.php" line 44 - Should maybe use RequestContext::importScopedSession() instead.
  • "PageForms.js" line 1265 - async: false is bad...
  • Previewing direct from url (e.g. action=edit&preview=yes) a form page does not show the form.

Details

SubjectRepoBranchLines +/-
Fix CreateForm JS to work with '#' in URLmediawiki/extensions/PageFormsmaster+2 -3
Add trim of form and target name to Special:EditFormmediawiki/extensions/PageFormsmaster+3 -0
Simplify form "cancel" link, remove IE supportmediawiki/extensions/PageFormsmaster+5 -9
Update maxlength with byte limitmediawiki/extensions/PageFormsmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Yaron_Koren created this task.Dec 19 2017, 1:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 19 2017, 1:56 AM
Yaron_Koren mentioned this in T149869: Security review for PageForms.Dec 19 2017, 1:58 AM
Himanshuc3 subscribed.Jan 11 2018, 6:55 AM

http://localhost:8080/wiki/Special:CreateForm#foo is working in my vagrant setup.
Can you explain whats wrong.

Aklapper added a comment.Jan 11 2018, 1:07 PM
In T183213#3892238, @Himanshuc3 wrote:

http://localhost:8080/wiki/Special:CreateForm#foo is working in my vagrant setup.

@Himanshuc3: How is it "working"? Please be way more specific what you've tried and what did happen or not. The task description here states "The other options ajax is totally broken". It is unclear if you tested the AJAX of "Other options" and how exactly.

Himanshuc3 added a comment.Jan 17 2018, 1:34 PM

@Aklapper Sorry. A rookie mistake.

Screen Shot 2018-01-17 at 7.02.42 PM.png (511×1 px, 99 KB)

I don't see where the "other options Ajax" is.
Please point out the mistake.

yashdeep97 subscribed.Feb 15 2018, 7:22 PM
Sahajsk subscribed.Mar 29 2020, 1:07 PM
This comment was removed by Sahajsk.
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptMar 29 2020, 1:07 PM
gerritbot added a comment.Apr 27 2020, 8:51 AM

Change 592613 had a related patch set uploaded (by Sahajsk; owner: Sahajsk):
[mediawiki/extensions/PageForms@master] Update maxlength with byte limit

https://gerrit.wikimedia.org/r/592613

gerritbot added a project: Patch-For-Review.Apr 27 2020, 8:51 AM
Sahajsk updated the task description. (Show Details)Apr 27 2020, 8:53 AM

Will update the description after checking the feasibility and solving the issues.

gerritbot added a comment.Apr 27 2020, 5:08 PM

Change 592613 merged by jenkins-bot:
[mediawiki/extensions/PageForms@master] Update maxlength with byte limit

https://gerrit.wikimedia.org/r/592613

Yaron_Koren mentioned this in rEPFMe996c3a327fc: Update maxlength with byte limit.Apr 27 2020, 5:09 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 27 2020, 5:10 PM
Aklapper removed Yaron_Koren as the assignee of this task.Jun 19 2020, 4:12 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

gerritbot added a comment.Feb 16 2021, 8:45 PM

Change 664646 had a related patch set uploaded (by Yaron Koren; owner: Yaron Koren):
[mediawiki/extensions/PageForms@master] Simplify form "cancel" link, remove IE support

https://gerrit.wikimedia.org/r/664646

gerritbot added a project: Patch-For-Review.Feb 16 2021, 8:45 PM
gerritbot added a comment.Feb 16 2021, 9:33 PM

Change 664646 merged by jenkins-bot:
[mediawiki/extensions/PageForms@master] Simplify form "cancel" link, remove IE support

https://gerrit.wikimedia.org/r/664646

Yaron_Koren updated the task description. (Show Details)Feb 16 2021, 9:36 PM
gerritbot added a comment.Feb 16 2021, 10:00 PM

Change 664647 had a related patch set uploaded (by Yaron Koren; owner: Yaron Koren):
[mediawiki/extensions/PageForms@master] Add trim of form and target name to Special:EditForm

https://gerrit.wikimedia.org/r/664647

gerritbot added a comment.Feb 16 2021, 10:13 PM

Change 664647 merged by jenkins-bot:
[mediawiki/extensions/PageForms@master] Add trim of form and target name to Special:EditForm

https://gerrit.wikimedia.org/r/664647

Yaron_Koren updated the task description. (Show Details)Feb 16 2021, 10:14 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 16 2021, 11:10 PM
Yaron_Koren mentioned this in T275404: Use $wgExtensionAssetsPath instead of $wgScriptPath when defining $wgPageFormsScriptPath .Feb 22 2021, 4:31 PM
Yaron_Koren updated the task description. (Show Details)Apr 5 2021, 7:07 PM
Yaron_Koren updated the task description. (Show Details)Dec 8 2021, 11:45 PM
gerritbot added a comment.Dec 31 2021, 3:39 PM

Change 749881 had a related patch set uploaded (by Yaron Koren; author: Yaron Koren):

[mediawiki/extensions/PageForms@master] Fix CreateForm JS to work with '#' in URL

https://gerrit.wikimedia.org/r/749881

gerritbot added a project: Patch-For-Review.Dec 31 2021, 3:39 PM
gerritbot added a comment.Dec 31 2021, 3:50 PM

Change 749881 merged by jenkins-bot:

[mediawiki/extensions/PageForms@master] Fix CreateForm JS to work with '#' in URL

https://gerrit.wikimedia.org/r/749881

Yaron_Koren updated the task description. (Show Details)Dec 31 2021, 3:55 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 31 2021, 4:10 PM
Yaron_Koren updated the task description. (Show Details)Jan 3 2022, 8:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL