Page MenuHomePhabricator
Create Task
Maniphest T201285

Disable raw HTML in https://foundation.wikimedia.org/
Closed, ResolvedPublic
Actions

Description

It is a very strong security risk: anyone who compromised any active account in this wiki may insert arbitary HTML, which may be loaded by everyone visiting the site. Raw HTML are mainly used in many outdated and historical pages, many may be migrated to non-raw HTML (e.g. wiki syntax and TemplateStyles), and I don't think it is essential for this wiki as it is not a public portal for Wikimedia Foundation anymore.

Once it is done the wiki may possibly be made open.

Details

SubjectRepoBranchLines +/-
[GovernanceWiki] Disable wgRawHTML, no longer neededoperations/mediawiki-configmaster+0 -1
Customize query in gerrit

Event Timeline

Bugreporter created this task.Aug 6 2018, 6:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2018, 6:45 AM
Bugreporter updated the task description. (Show Details)Aug 6 2018, 6:52 AM
Aklapper edited projects, added Wikimedia Foundation Governance Wiki (foundation.wikimedia.org); removed Wikimedia-Site-requests.Aug 6 2018, 8:23 AM

anyone who compromised any active account in this wiki may insert arbitary HTML

How and why is that a different behavior than any other wiki site, and with which wiki site do you compare?

Raw HTML are mainly used in many outdated and historical pages

Could you please link to a specific example page on that wiki which uses "raw html"?

For the records, https://foundation.wikimedia.org/wiki/Special:Statistics lists about ~1000 users.

Bugreporter added a comment.Aug 6 2018, 8:42 AM

https://www.mediawiki.org/wiki/Manual:$wgRawHtml

All extant pages using raw HTML: https://foundation.wikimedia.org/w/index.php?title=Special:Search&profile=all&search=insource%3A%2F%5C%3Chtml%5C%3E%2F&fulltext=1

Aklapper added a project: Wikimedia-Site-requests.Aug 6 2018, 11:24 AM

Ah, thanks, so this is about $wgRawHtml and changing it in https://noc.wikimedia.org/conf/InitialiseSettings.php.txt

Varnent added a subscriber: Seddon.Aug 6 2018, 5:08 PM
Varnent moved this task from Backlog to Translation related on the Wikimedia Foundation Governance Wiki (foundation.wikimedia.org) board.Aug 6 2018, 6:25 PM
Bawolff subscribed.Aug 6 2018, 10:08 PM

Just saying i agree 100% with this task. If fundraising/whoever else no longer needs it we would strongly like to get raw html disabled. Especially now that it under wikimedia.org

Framawiki moved this task from Backlog to Analysis / under discussion on the Wikimedia-Site-requests board.Aug 9 2018, 5:16 PM
Framawiki subscribed.
chasemp subscribed.Aug 13 2018, 12:59 PM
Varnent subscribed.EditedSep 25 2018, 7:53 PM

Just a quick update that a vast majority of these pages have been cleaned up or removed in preparation for disabling this. I believe there are just 3 reports left - which @Jseddon is working on migrating (sans-HTML) to Meta-Wiki. :)

Varnent added a subscriber: Jseddon.Sep 25 2018, 7:55 PM
Bawolff added a comment.Sep 25 2018, 11:36 PM

I just did https://foundation.wikimedia.org/w/index.php?title=2015-2016_Fundraising_Report&type=revision&diff=118085&oldid=113983 so now there's 2.

Bawolff added a comment.Sep 25 2018, 11:42 PM

Ok, the rest are done, https://foundation.wikimedia.org/w/index.php?search=insource%2F%5C%3Chtml%5C%3E%2F&title=Special%3ASearch&profile=all&fulltext=1 is empty - Lets kill raw html :D :D

Jdforrester-WMF subscribed.Sep 25 2018, 11:56 PM

Yay.

gerritbot subscribed.Sep 26 2018, 12:00 AM

Change 462834 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[operations/mediawiki-config@master] [GovernanceWiki] Disable wgRawHTML, no longer needed

https://gerrit.wikimedia.org/r/462834

gerritbot added a project: Patch-For-Review.Sep 26 2018, 12:00 AM
Varnent assigned this task to Jdforrester-WMF.Sep 26 2018, 6:48 PM
Varnent triaged this task as High priority.Oct 19 2018, 5:46 PM
Restricted Application added a subscriber: Dereckson. · View Herald TranscriptOct 19 2018, 5:46 PM
gerritbot added a comment.Nov 7 2018, 6:44 PM

Change 462834 merged by jenkins-bot:
[operations/mediawiki-config@master] [GovernanceWiki] Disable wgRawHTML, no longer needed

https://gerrit.wikimedia.org/r/462834

Stashbot subscribed.Nov 7 2018, 6:51 PM

Mentioned in SAL (#wikimedia-operations) [2018-11-07T18:51:34Z] <jforrester@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T201285: Disable wgRawHTML on Governance wiki (duration: 05m 12s)

Jdforrester-WMF closed this task as Resolved.Nov 7 2018, 6:51 PM
Jdforrester-WMF removed a project: Patch-For-Review.

Done.

chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL