Page MenuHomePhabricator

[[data:image/png;base64... added to article when editing using the visual editor due to broken browser extension
Closed, ResolvedPublic1 Story Points

Description

On the German-language Wikipedia's VisualEditor feedback page it was brought to our attention today that in several cases editors using the VisualEditor added to an article what looks to me like a directly-pasted image file:

[[data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUlJREFUeNpiZEADV7XlEoBUPBA7oEkdAOKF2lcfLUAWZETSqACk1gOxgUBACAOvkzsDMy8fWO7v508Mn/ftZPiwYQ2IewGIA4EGPUC2VQGI398N9vj//frV/7gASA6kBqQWaiHcgPMgiT+fPsIVv1009/+DhLD/zzsa/v96+hguDlIDNeQ83M9AjGIzSDNIDIZvWOigGA5SC5VLYAIFGMjPHBpacBeB/IwMQPyPEP+DAUgtSA9IL8gAB1CAIQNeJzd4AMLAj5tX0dSA9TiADMBQDLJB/fhlBq0rDxmEYpPAYqxSsihqYHqYGAgAZl5+iAHSMljlmbD5GRl82LgabBvIW+jhAjPgACiRYAPPaooZfj99wiDV2ovhTaieA1ijEZZgQNH3fsNqrAkKFo1YE9KnvTv/P60uQklAOBMSpUmZ4szESGl2BggwAJR/ZVgK6XqqAAAAAElFTkSuQmCC|verweis=javascript:]]

Note that in many, but not all cases it is the same code as above which is inserted.

The following cases were reported today:

Two cases from the English-language Wikipedia:

Details

Related Gerrit Patches:
mediawiki/extensions/VisualEditor : masterBlacklist images with data URLs

Event Timeline

Cirdan created this task.Apr 17 2018, 6:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 17 2018, 6:23 PM
Cirdan updated the task description. (Show Details)Apr 17 2018, 6:25 PM
Cirdan updated the task description. (Show Details)Apr 17 2018, 6:34 PM

It's a quotation mark. The ones that look different are actually the same image, but slightly larger. Does anyone recognise it? Are there steps to reproduce this?

This is almost certainly some browser extension messing with the editable surface. We can blacklist it, but first we have to know what it is. @Cirdan Can you ask the users making these edits about their browser extensions?

The images being inserted here are these: This might be the logo of the extension (I don't recognize it, unfortunately).

Only the last diff you linked has a different one: This might be another, separate extension :(

Shouldn't we just blacklist all images with a data URL?

Change 427191 had a related patch set uploaded (by Esanders; owner: Esanders):
[mediawiki/extensions/VisualEditor@master] Blacklist images with data URLs

https://gerrit.wikimedia.org/r/427191

The images being inserted here are these: This might be the logo of the extension (I don't recognize it, unfortunately).

These are appearing after ISBN's so I would guess some citation plugin.

Only the last diff you linked has a different one: This might be another, separate extension :(

Looks like an anti-virus plugin, checking external links.

Cirdan added a comment.EditedApr 17 2018, 7:18 PM

These are appearing after ISBN's so I would guess some citation plugin.

Yes, that's the Citavi logo: https://www.citavi.com/favicon.ico

@Cirdan Can you ask the users making these edits about their browser extensions?

If it is still necessary, I can try to do that, although quite a few are anonymous edits where I don't believe we have a chance. But if all of these insertions are blacklisted now, the problem is solved, I guess?

Change 427191 merged by jenkins-bot:
[mediawiki/extensions/VisualEditor@master] Blacklist images with data URLs

https://gerrit.wikimedia.org/r/427191

TheDJ added a comment.Apr 17 2018, 8:12 PM

Tweeted at Citavi that they might want to fix that in general for contenteditable's

TheDJ added a comment.Apr 18 2018, 8:20 AM

Thanks for letting us know! That's not supposed to happen, so our developer is going to take a look and get that fixed.

there, that looks promising.

matmarex added a comment.EditedApr 18 2018, 5:25 PM

Shouldn't we just blacklist all images with a data URL?

I was concerned that this might still leave some mess, e.g. if the image is wrapped in a link or something.

For example, in https://en.wikipedia.org/w/index.php?diff=835420857 the following was inserted:

[[data:image/png;base64,iVBORw0KGg...|link=javascript:]]

Which to me looks like it was generated from HTML like this:

<a href="javascript:" ...><img src="data:image/png;base64,iVBORw0KGg..." /></a>

We now remove the <img> before sending the data to Parsoid, but the empty <a> is left over. That might be cleaned up at a later point (does Parsoid remove empty links?), but I'm not sure about it, and anyway I would prefer not to rely on that.

Deskana renamed this task from [[data:image/png;base64... added to article using the VisualEditor to [[data:image/png;base64... added to article when editing using the visual editor due to broken browser extension.Apr 20 2018, 9:51 AM
Deskana closed this task as Resolved.
Deskana triaged this task as Medium priority.
Deskana set the point value for this task to 1.

Well, this problem is fixed at least. Anything else we want to do should go in a separate task.