Page MenuHomePhabricator

Third-party browser add-on adds [javascript:] within references when editing using the VisualEditor
Closed, ResolvedPublic

Details

Related Gerrit Patches:
mediawiki/extensions/VisualEditor : masterBlacklist javascript links

Event Timeline

Cirdan created this task.Aug 2 2018, 5:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2018, 5:02 AM
Cirdan added a subscriber: PerfektesChaos.
Cirdan added a comment.Aug 2 2018, 5:26 PM

All five cases on enwiki are related to the ISBN template: insource search

There are no occurences on frwiki and nlwiki, but 44 cases on dewiki.

Cirdan added a subscriber: TheDJ.Aug 6 2018, 4:15 AM

It's likely Citavi again, namely their Picker plugin for Firefox.

One affected user can replicate the problem by adding a reference with the plugin activated: diff

If they disable the plugin, no [javascript:]s are added: diff

@TheDJ Last time you got in touch with Citavi, can you do that again?

We should not rely on 3rd parties.

This is also not only a citation issue.

It is quite common that a service appends advertising by linked image or even JavaScript code.

Any (VE) insertion shall strip off entirely any rich insertion anywhere like:

<a href="javascript:...">...</a>
<img src="..." />
Cirdan added a comment.Aug 6 2018, 7:44 AM

Obviously this requires a new filter, as did virtually all bugs in T54327.

But similar to T192392 it makes sense to inform Citavi that they have a bug in their plugin (again).

Deskana closed this task as Invalid.Aug 7 2018, 6:48 PM
Deskana added a subscriber: Deskana.

There's really not much for the Editing team to do if someone is using a malfunctioning browser plug-in. I suggest contacting the developers of the plug-in in question.

Cirdan added a comment.Aug 7 2018, 7:16 PM

@Deskana Don't you think that a filter such as the one added for T192392 would be useful? I see that both script and noscript are already part of that list, so adding javascript as well would probably close the last hole in that regard.

Aklapper renamed this task from [javascript:] added within references when editing using the VisualEditor to Third-party browser add-on adds [javascript:] within references when editing using the VisualEditor .Oct 29 2018, 7:04 AM
TheDJ changed the task status from Invalid to Resolved.Nov 27 2018, 8:03 PM

This seems incorrectly closed, as we CLEARLY have filters for such things already in place.

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptNov 27 2018, 8:03 PM
TheDJ reopened this task as Open.Nov 27 2018, 8:05 PM
TheDJ added a comment.Nov 27 2018, 8:07 PM

Probably adding a[href^="javascript:"] to the filter list would do the job ?

Change 476097 had a related patch set uploaded (by TheDJ; owner: TheDJ):
[mediawiki/extensions/VisualEditor@master] Blacklist javascript links

https://gerrit.wikimedia.org/r/476097

Change 476097 merged by jenkins-bot:
[mediawiki/extensions/VisualEditor@master] Blacklist javascript links

https://gerrit.wikimedia.org/r/476097

matmarex added a subscriber: matmarex.

I reviewed the results currently found by the searches posted by @Cirdan:

All five cases on enwiki are related to the ISBN template: insource search
There are no occurences on frwiki and nlwiki, but 44 cases on dewiki.

(now 3 pages on dewiki and 10 pages on enwiki)

There were no additions of the 'javascript:' links in the edits made after 2018-12-13, when the fix was deployed. Any existing links were added earlier (I did not try to find exactly when).

If you notice any new edits adding such links, please let us know.

TheDJ added a comment.Jan 3 2019, 4:19 PM

Now 0 on both. Can be closed as far as I'm concerned

marcella closed this task as Resolved.Jan 8 2019, 9:43 PM