Page MenuHomePhabricator
Create Task
Maniphest T200506

Previewing a non-style-only gadget that you already have enabled causes a syntax error
Closed, ResolvedPublic
Actions

Description

I'm getting a syntax error when previewing any gadget page (CSS or JS) that belongs to any non-style-only gadget that I already have enabled. This happens in both Chrome and Firefox.
In Chrome, the error is
Uncaught SyntaxError: Unexpected token }.
In Firefox, the error is
SyntaxError: expected expression, got '}'.
The line seems to be the long mw.loader.load line with all the ResourceLoader modules.

It does not happen when previewing pages for pure style modules, like:
https://sv.wikipedia.org/wiki/MediaWiki:Gadget-oldeditlinks.css
https://sv.wikipedia.org/wiki/MediaWiki:Gadget-OldDiff.css

It does happen when previewing pages for non-style-only modules, like:
https://sv.wikipedia.org/wiki/MediaWiki:Gadget-ExkluderaRobotskapadeSidor.js (JavaScript page for JavaScript-only module)
https://sv.wikipedia.org/wiki/MediaWiki:Gadget-SearchEdit.js (JavaScript page for mixed module)
https://sv.wikipedia.org/wiki/MediaWiki:Gadget-InfogaRaderamall.css (CSS page for mixed module)

Is this because of T112474 and/or T180817?

Details

SubjectRepoBranchLines +/-
Html: Reject </script> from inlineScript() and leave rest unescapedmediawiki/corewmf/1.32.0-wmf.19+42 -15
Html: Reject </script> from inlineScript() and leave rest unescapedmediawiki/coremaster+42 -15
resourceloader: Refuse to preview content with </script>mediawiki/coremaster+12 -0
Html: Add test coverage for inlineScript()mediawiki/coremaster+39 -0
Customize query in gerrit

Related Objects

Event Timeline

Nirmos created this task.Jul 27 2018, 10:06 AM
Restricted Application added a project: Performance-Team. · View Herald TranscriptJul 27 2018, 10:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
aaron assigned this task to Krinkle.Jul 30 2018, 8:10 PM
aaron triaged this task as Medium priority.
aaron moved this task from Inbox, needs triage to To-do: Goals prioritized current Quarter on the Performance-Team board.
Krinkle moved this task from To-do: Goals prioritized current Quarter to Doing (old) on the Performance-Team board.Aug 6 2018, 9:15 PM

I can reproduce this on test2.wikipedia.org:

There is now the following syntax error in the console:

Uncaught SyntaxError: Unexpected token }

Source in the HTML:

capture.png (326×2 px, 121 KB)

This looks quite messed up indeed. Several problems:

  • The module closure is passed to a function called h() instead of mw.loader.implement(). No idea what this is.
  • The module closure ends with }); twice instead once. Causing the syntax error.
  • There is an unclosed comment at the end /* which causes another syntax error when it gets merged with an unrelated comment spanning into another module's source (user.options).

The two components that relate to previewing wiki modules are ResourceLoader's "embed module" feature, and the "content override" feature for between OutputPage and ResourceLoaderContext, as used by ResourceLoaderWikiModule.

The last major change to that was 3f1142045f5 / https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/340768/ / T112474.

Krinkle added a comment.EditedAug 7 2018, 3:02 PM

Turns out this isn't directly related to the "embed module" or "content override" behaviour, although it does seem that the underlying bug I found is only triggered by those behaviours (right now).

After tracing the PHP output from ResourceLoaderWikiModule::getContentObj to ResourceLoaderWikiModule::getScript to ResourceLoader::makeModuleResponse to ResourceLoaderClientHtml::makeLoad, I found the following:

if ( $embed ) {
	// ...
	$chunks[] = '' . ResourceLoader::makeInlineScript(
		$rl->makeModuleResponse( $context, $moduleSet ),
		$nonce
	);

Where ResourceLoader::makeInlineScript contains the following (simplified):

public static function makeInlineScript( $script, $nonce = null ) {
		$js = self::makeLoaderConditionalScript( $script );
		// ...
		return new WrappedString(
			Html::inlineScript( $js ),
			"<script>(window.RLQ=window.RLQ||[]).push(function(){",
			'});</script>'
		);
	}

This usually outputs a string like this:

<script>(window.RLQ=window.RLQ||[]).push(function(){mw.loader.implement("ext.gadget.foo@0srnwfl",function(){...});});</script>

However, for the gadget on sv.wikipedia.org and many other ones, it outputs this:

<script>/*<![CDATA[*/(window.RLQ=window.RLQ||[]).push(function(){mw.loader.implement("ext.gadget.foo@0srnwfl",function($,jQuery,require,module){mw.loader.load('https://www.mediawiki.org/w/index.php?title=MediaWiki:Gadget-modrollback.js&action=raw&ctype=text/javascript');});});/*]]>*/</script>

The important difference is the presence of /*<![CDATA[*/. This breaks the offset assumptions from WrappedString, thus, when it is trying to merge two such objects and strip the common prefix/suffix, it produces the following:

h(function(){mw.loader.implement("ext.gadget.foo@0srnwfl",function($,jQuery,require,module){mw.loader.load('https://www.mediawiki.org/w/index.php?title=MediaWiki:Gadget-modrollback.js&action=raw&ctype=text/javascript');});});/*

Which is exactly what we found. The h( is a left over from RLQ.push( which was meant to be stripped in its entirety, but the presence of CDATA made the prefix longer, so it only stripped part of it. The strange unclosed comment at the end is caused by the same problem. It normally ends with });</script>, but now ends with });/*]]>*/</script>. Stripping the expected length of characters, leaves behind });});/*]].

The trigger for this bug is any inline script from OutputPage (gadget, previewed user/site script, mw-config etc.) that contains an ampersand (&) or less-than (<) character.

gerritbot subscribed.Aug 7 2018, 3:17 PM

Change 451006 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] Html: Add test coverage for inlineScript()

https://gerrit.wikimedia.org/r/451006

gerritbot added a project: Patch-For-Review.Aug 7 2018, 3:17 PM
gerritbot added a comment.Aug 7 2018, 3:53 PM

Change 451011 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] Html: Change inlineScript() from XML-specific CDATA to unicode escape

https://gerrit.wikimedia.org/r/451011

Krinkle added a comment.Aug 7 2018, 4:08 PM

This problem would've been easier to find if WrappedString validated the prefix, request filed at T118663.

Krinkle moved this task from Inbox to Confirmed Problem on the MediaWiki-ResourceLoader board.Aug 9 2018, 8:40 PM
Krinkle moved this task from Doing (old) to Blocked (old) on the Performance-Team board.Aug 12 2018, 12:50 PM
gerritbot added a comment.Aug 17 2018, 1:08 AM

Change 451006 merged by jenkins-bot:
[mediawiki/core@master] Html: Add test coverage for inlineScript()

https://gerrit.wikimedia.org/r/451006

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-08-21 (1.32.0-wmf.18)).Aug 17 2018, 2:00 AM
gerritbot added a comment.Aug 20 2018, 12:52 AM

Change 453892 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] resourceloader: Refuse to preview content with </script>

https://gerrit.wikimedia.org/r/453892

Krinkle moved this task from Blocked (old) to Doing (old) on the Performance-Team board.Aug 20 2018, 3:59 PM
Fomafix merged a task: T202849: Preview of global.js generates syntax error when "&" is in the content.Aug 27 2018, 6:59 PM
Fomafix subscribed.
gerritbot added a comment.Aug 30 2018, 1:01 AM

Change 451011 merged by jenkins-bot:
[mediawiki/core@master] Html: Reject </script> from inlineScript() and leave rest unescaped

https://gerrit.wikimedia.org/r/451011

gerritbot added a comment.Aug 30 2018, 1:01 AM

Change 453892 merged by jenkins-bot:
[mediawiki/core@master] resourceloader: Refuse to preview content with </script>

https://gerrit.wikimedia.org/r/453892

ReleaseTaggerBot edited projects, added MW-1.32-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)); removed MW-1.32-notes (WMF-deploy-2018-08-21 (1.32.0-wmf.18)).Aug 30 2018, 2:00 AM
Krinkle closed this task as Resolved.Aug 30 2018, 9:22 PM
Krinkle removed a project: Patch-For-Review.
gerritbot added a comment.Aug 31 2018, 11:10 PM

Change 456765 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@wmf/1.32.0-wmf.19] Html: Reject </script> from inlineScript() and leave rest unescaped

https://gerrit.wikimedia.org/r/456765

gerritbot added a project: Patch-For-Review.Aug 31 2018, 11:10 PM
gerritbot added a comment.Aug 31 2018, 11:31 PM

Change 456765 merged by jenkins-bot:
[mediawiki/core@wmf/1.32.0-wmf.19] Html: Reject </script> from inlineScript() and leave rest unescaped

https://gerrit.wikimedia.org/r/456765

Stashbot subscribed.Aug 31 2018, 11:35 PM

Mentioned in SAL (#wikimedia-operations) [2018-08-31T23:35:51Z] <krinkle@deploy1001> Synchronized php-1.32.0-wmf.19/includes/Html.php: I67ceb34eabf2f - T200506 (duration: 00m 50s)

ReleaseTaggerBot edited projects, added MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)); removed MW-1.32-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)).Sep 1 2018, 12:01 AM
Fomafix removed a project: Patch-For-Review.Sep 1 2018, 6:13 AM
Func mentioned this in T360258: Previewing global.js with "<script>" returns MediaWiki internal error "DomainException".Sat, May 11, 5:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL