Maniphest T202571

Does Language::convert() also do HTML escaping?
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Legoktm
	Aug 22 2018, 7:43 PM

Description

The phan-taint-check-plugin seems to be treating output of Language->convert() as already HTML escaped. Is this correct? I tried following the code but didn't see an obvious spot where the escaping happened.

It would be good to document this in the @return for this method.

Details

	Subject	Repo	Branch	Lines +/-
	Add taint annotation and warnings to Language::convert() et al	mediawiki/core	master	+14 -3
	Document expected input and return value for Language::convert()	mediawiki/core	master	+2 -2

Customize query in gerrit

Event Timeline

Legoktm created this task.Aug 22 2018, 7:43 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 22 2018, 7:43 PM

It seems to be intending to operate on an input HTML string and transform only bits that aren't part of HTML tags and aren't inside <script>...</script> or <style>...</style>. Assuming that works right and assuming there's no way to piece together an HTML tag from different bits, the output should be just as escaped as the input.

If it doesn't work right or there is a way to piece things together, that'd be a security bug.

Thanks, so to confirm, input to Language::convert() should already be escaped?

For the following code:

return $this->getLinkRenderer()->makeLink(
                        $title,
                        $wgContLang->convert( $title->getPrefixedText() )
                );

The correct way to do it would be:

# HTML safe
$text = htmlspecialchars( $title->getPrefixedText() );
# Still HTML safe
$converted = $wgContLang->convert( $text )
# Safe because HtmlArmor prevents double escaping
$link = $this->getLinkRenderer()->makeLink( $title, new HtmlArmor( $converted ) );

Is that right?

That seems right at first glance. I haven't walked through the code.

$wgContLang->convert( $title->getPrefixedText() ) specifically seems like it should be as safe as just $title->getPrefixedText(), since a title can't contain { or } so I think all ->convert() will do is convert alphabets. Again, though, I haven't looked through everything.

Legoktm added subscribers: matmarex, cscott, Bawolff.Aug 25 2018, 3:54 AM

Umherirrender moved this task from Backlog to MediaWiki mode on the phan-taint-check-plugin board.Aug 25 2018, 9:10 AM

Change 456331 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] Document expected input and return value for Language::convert()

https://gerrit.wikimedia.org/r/456331

gerritbot added a project: Patch-For-Review.Aug 30 2018, 5:07 AM

Change 456331 merged by jenkins-bot:
[mediawiki/core@master] Document expected input and return value for Language::convert()

https://gerrit.wikimedia.org/r/456331

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)).Aug 30 2018, 6:00 AM

matmarex unsubscribed.Aug 30 2018, 9:27 PM

Change 456836 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/core@master] Add taint annotation and warnings to Language::convert() et al

https://gerrit.wikimedia.org/r/456836

Change 456836 merged by jenkins-bot:
[mediawiki/core@master] Add taint annotation and warnings to Language::convert() et al

https://gerrit.wikimedia.org/r/456836

Bawolff closed this task as Resolved.Sep 2 2018, 3:50 PM

Bawolff claimed this task.

sbassett moved this task from MediaWiki mode to Done on the phan-taint-check-plugin board.Oct 15 2019, 6:55 PM

Maintenance_bot removed a project: Patch-For-Review.Oct 15 2019, 7:12 PM

sbassett triaged this task as Medium priority.Oct 15 2019, 7:25 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM

Winston_Sung moved this task from Backlog to Core on the MediaWiki-Language-converter board.Dec 27 2023, 6:28 PM