Page MenuHomePhabricator
Create Task
Maniphest T200971

Third-party browser add-on adds [javascript:] within references when editing using the VisualEditor
Closed, ResolvedPublic
Actions

Description

As reported at the German-language Wikipedia's village pump (permalink), in VE edits between May and today, [javascript:] is added at the end of references:

Might be a problem similar to T192392: [[data:image/png;base64... added to article when editing using the visual editor due to broken browser extension.

Details

SubjectRepoBranchLines +/-
Blacklist javascript linksmediawiki/extensions/VisualEditormaster+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Cirdan created this task.Aug 2 2018, 5:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2018, 5:02 AM
Cirdan added a project: VisualEditor.Aug 2 2018, 5:02 AM
Cirdan added a subscriber: PerfektesChaos.
Count_Count subscribed.Aug 2 2018, 9:03 AM

It looks like this also occurs on enWP, see e.g. https://en.wikipedia.org/w/index.php?title=Bletchley_Park&diff=next&oldid=846802829

Cirdan added a comment.Aug 2 2018, 5:26 PM

All five cases on enwiki are related to the ISBN template: insource search

There are no occurences on frwiki and nlwiki, but 44 cases on dewiki.

Cirdan added a subscriber: TheDJ.Aug 6 2018, 4:15 AM

It's likely Citavi again, namely their Picker plugin for Firefox.

One affected user can replicate the problem by adding a reference with the plugin activated: diff

If they disable the plugin, no [javascript:]s are added: diff

@TheDJ Last time you got in touch with Citavi, can you do that again?

Cirdan added a parent task: T54327: Broken browser plugins cause cruft to be injected into the page (tracking).Aug 6 2018, 4:18 AM
PerfektesChaos added a comment.Aug 6 2018, 7:23 AM

We should not rely on 3rd parties.

This is also not only a citation issue.

It is quite common that a service appends advertising by linked image or even JavaScript code.

Any (VE) insertion shall strip off entirely any rich insertion anywhere like:

<a href="javascript:...">...</a>
<img src="..." />
Cirdan added a comment.Aug 6 2018, 7:44 AM

Obviously this requires a new filter, as did virtually all bugs in T54327.

But similar to T192392 it makes sense to inform Citavi that they have a bug in their plugin (again).

Deskana closed this task as Invalid.Aug 7 2018, 6:48 PM
Deskana subscribed.

There's really not much for the Editing team to do if someone is using a malfunctioning browser plug-in. I suggest contacting the developers of the plug-in in question.

Cirdan added a comment.Aug 7 2018, 7:16 PM

@Deskana Don't you think that a filter such as the one added for T192392 would be useful? I see that both script and noscript are already part of that list, so adding javascript as well would probably close the last hole in that regard.

Aklapper renamed this task from [javascript:] added within references when editing using the VisualEditor to Third-party browser add-on adds [javascript:] within references when editing using the VisualEditor .Oct 29 2018, 7:04 AM
TheDJ changed the task status from Invalid to Resolved.Nov 27 2018, 8:03 PM

This seems incorrectly closed, as we CLEARLY have filters for such things already in place.

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptNov 27 2018, 8:03 PM
TheDJ reopened this task as Open.Nov 27 2018, 8:05 PM
TheDJ added a comment.Nov 27 2018, 8:07 PM

Probably adding a[href^="javascript:"] to the filter list would do the job ?

gerritbot subscribed.Nov 27 2018, 8:11 PM

Change 476097 had a related patch set uploaded (by TheDJ; owner: TheDJ):
[mediawiki/extensions/VisualEditor@master] Blacklist javascript links

https://gerrit.wikimedia.org/r/476097

gerritbot added a project: Patch-For-Review.Nov 27 2018, 8:11 PM
Jdforrester-WMF assigned this task to TheDJ.Nov 27 2018, 9:12 PM
Jdforrester-WMF edited projects, added VisualEditor-MediaWiki, VisualEditor (Current work); removed Patch-For-Review, VisualEditor.
Jdforrester-WMF moved this task from Incoming to Product owner review on the VisualEditor (Current work) board.
gerritbot added a comment.Nov 27 2018, 9:39 PM

Change 476097 merged by jenkins-bot:
[mediawiki/extensions/VisualEditor@master] Blacklist javascript links

https://gerrit.wikimedia.org/r/476097

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.8; 2018-12-11).Nov 27 2018, 10:00 PM
PerfektesChaos awarded a token.Nov 28 2018, 8:48 AM
marcella moved this task from Product owner review to Engineering QA on the VisualEditor (Current work) board.Dec 13 2018, 3:44 PM
matmarex moved this task from Engineering QA to Product owner review on the VisualEditor (Current work) board.Dec 28 2018, 3:49 PM
matmarex subscribed.

I reviewed the results currently found by the searches posted by @Cirdan:

In T200971#4473369, @Cirdan wrote:

All five cases on enwiki are related to the ISBN template: insource search

There are no occurences on frwiki and nlwiki, but 44 cases on dewiki.

(now 3 pages on dewiki and 10 pages on enwiki)

There were no additions of the 'javascript:' links in the edits made after 2018-12-13, when the fix was deployed. Any existing links were added earlier (I did not try to find exactly when).

If you notice any new edits adding such links, please let us know.

TheDJ added a comment.Jan 3 2019, 4:19 PM

Now 0 on both. Can be closed as far as I'm concerned

marcella closed this task as Resolved.Jan 8 2019, 9:43 PM
Cirdan mentioned this in T217482: VisualEditor adds <span></span> to DOI link.Mar 2 2019, 4:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL