Page MenuHomePhabricator

Special:ImportFile is not escaped message, showing tags as plain text
Closed, ResolvedPublic

Description

Steps of reproduction

Expected

File Should be Imported at commons

Actual Result

Log First Time

<table cellpadding="4" cellspacing="4" style="border:3px solid #CC0000;; background-color:#FFFFF8; width:100%;" class="plainlinks"> <tr> <td style="text-align:center;width:80px"><img alt="Dialog-warning.svg" src="https://upload.wikimedia.org/wikipedia/commons/thumb/6/6e/Dialog-warning.svg/70px-Dialog-warning.svg.png" width="70" height="70" srcset="https://upload.wikimedia.org/wikipedia/commons/thumb/6/6e/Dialog-warning.svg/105px-Dialog-warning.svg.png 1.5x, https://upload.wikimedia.org/wikipedia/commons/thumb/6/6e/Dialog-warning.svg/140px-Dialog-warning.svg.png 2x" data-file-width="48" data-file-height="48" /><small> </td> <td style="font-size:90%"> <h2><span id="Don.27t_blank_pages"></span><span class="mw-headline" id="Don't_blank_pages"><small><b> Don't blank pages </b></small></span></h2> <p>This action has been automatically identified as a potential problem and has been prevented from being saved. </p> <h3><span class="mw-headline" id="Deletion">Deletion</span></h3> <dl><dd><i>Further information: <a href="/wiki/Commons:Deletion_policy#Speedy_deletion" title="Commons:Deletion policy">Commons:Deletion policy#Speedy deletion</a></i></dd></dl> <p>If you meant for the page to be <b>deleted</b>, blanking is not the right way to do this as blank pages will cause technical problems&#160;! </p><p><b>Please use "<code>{{<a href="/wiki/Template:Badname" class="mw-redirect" title="Template:Badname">Badname</a>&#124;type good new here}}</code>"</b> if the category has been moved to a better name, so that the other users are informed about the new name. <b>Please use "<code>{{<a href="/wiki/Template:Speedy" class="mw-redirect" title="Template:Speedy">speedy</a>&#124; <i>type reason here</i> }}</code>"</b> and add it on top of the page you would like to have deleted. This way it will be placed on a special list that <a href="/wiki/Commons:Administrators" title="Commons:Administrators">administrators</a> check regularly for deletion. Without this it might take a long time before it's noticed or it would be forgotten about. </p><p><br /> </p> <h3><span id="Redirecting_.2F_moving_.2F_renaming"></span><span class="mw-headline" id="Redirecting_/_moving_/_renaming">Redirecting / moving / renaming</span></h3> <p><b>Categories:</b><br/> If a category should be renamed please propose a move by putting the <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Move" title="Template:Move">Move</a>&#125;&#125;</span> template on the category page. <br/>The Move-template is used when you want to propose to move contents from the current category to a another one. See <a href="/wiki/Template:Move" title="Template:Move">Template:Move</a> for more information.<br/>If this category has been moved but this one should be kept as a redirect use <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Category_redirect" title="Template:Category redirect">Category redirect</a>&#125;&#125;</span>.<br/><code>{{<a href="/wiki/Template:Category_redirect" title="Template:Category redirect">category redirect</a>&#124; <i>Name of target-category</i> (without the "Category:" prefix }}</code> </p><p><br /> </p><p><b>Files:</b><br/> If you recently uploaded a file under a wrong name use the <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Rename" title="Template:Rename">rename</a>&#125;&#125;</span> template.<br/>=&gt; "<code>{{<a href="/wiki/Template:Rename" title="Template:Rename">rename</a>&#124;new filename.jpg&#124; <i>type reason here</i> }}</code>"<br/><br/>If you've already uploaded the correct version of the file, and want to delete this one, use the <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Bad_name" title="Template:Bad name">Bad name</a>&#125;&#125;</span> template.<br/>=&gt; "<code>{{<a href="/wiki/Template:Bad_name" title="Template:Bad name">bad name</a>&#124; Name of the correct file.jpg }}</code>"<br/><br/>If you are not the original uploader of this file but found a duplicate, please tag it with <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Duplicate" title="Template:Duplicate">duplicate</a>&#125;&#125;</span><br/>=&gt; "<code>{{<a href="/wiki/Template:Duplicate" title="Template:Duplicate">duplicate</a>&#124; Name of the correct file.jpg }}</code>" </p><p><br /> </p> <hr /> In case you aren't sure what to do, it's best to ask for help at the <a href="/wiki/Commons:Help_desk" title="Commons:Help desk">help desk</a>.<br/><br/><div class="toccolours">In case you were actually making an acceptable contribution, please report this error <a class="external text" href="//commons.wikimedia.org/w/index.php?title=Commons:Abuse_filter/Error_reporting&amp;withJS=MediaWiki:ABFeasySubmit.js">here</a>. Thank you.</div> </td></tr></table>

Log Second time

<table style="width:100%; padding:1px 4px; border:1px solid #bb7070; background:#ffdbdb;"> <tr> <td style="text-align:center; width:60px;"><img alt="Your action has triggered the Abuse Filter" src="https://upload.wikimedia.org/wikipedia/commons/thumb/7/7f/Dialog-error.svg/50px-Dialog-error.svg.png" title="Your action has triggered the Abuse Filter" width="50" height="50" srcset="https://upload.wikimedia.org/wikipedia/commons/thumb/7/7f/Dialog-error.svg/75px-Dialog-error.svg.png 1.5x, https://upload.wikimedia.org/wikipedia/commons/thumb/7/7f/Dialog-error.svg/100px-Dialog-error.svg.png 2x" data-file-width="48" data-file-height="48" /> </td> <td>An automated filter has identified this edit as potentially unconstructive, and it has been disallowed. If this edit is constructive, please <a href="/wiki/Commons:Abuse_filter#False_positives" title="Commons:Abuse filter">report this error</a>. </td></tr></table>

Event Timeline

Restricted Application added a project: User-Jayprakash12345. · View Herald TranscriptOct 8 2018, 7:01 PM
Lea_WMDE added a subscriber: Lea_WMDE.

Thanks for this really nice ticket!

We did not manage to reproduce the issue anymore. Could you recheck again? Thank you!

Pikne added a subscriber: Pikne.Dec 11 2018, 11:20 AM

Regretfully I can reproduce this. To trigger page blanking filter on Commons (filter 4) you need an account that has less than 200 edits and that isn't in "autopatrol" user group. It seems to be triggered because first revision is empty. I don't know if this is FileImporter's problem or rather a problem of this particular filter. Displaying raw HTML of course is another issue.

WMDE-Fisch moved this task from Backlog to Doing on the WMDE-QWERTY-X-Mas-Sprint-2018-12-18 board.

Change 482635 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@master] Fix double escaped HTML when triggering AbuseFilter

https://gerrit.wikimedia.org/r/482635

WMDE-Fisch added a subscriber: WMDE-Fisch.

:-)

Note the patch https://gerrit.wikimedia.org/r/482635 does not fully solve this issue. The patch only solves the bad HTML escaping. I was not yet able to fully reproduce the issue with the AbuseFilter that should not (?) be triggered. As explained above it seems the file the user wanted to import contains a text revision that is empty (0 bytes). Since we are validating all old text revisions plus the new wikitext the user possibly edited these can all potentially trigger AbuseFilter. We might need to rethink this and only trigger the AbuseFilter hook for the latest text revision, but not for the historical ones.

Change 482635 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@master] Fix double escaped HTML when triggering AbuseFilter

https://gerrit.wikimedia.org/r/482635

Note the patch https://gerrit.wikimedia.org/r/482635 does not fully solve this issue. The patch only solves the bad HTML escaping. I was not yet able to fully reproduce the issue with the AbuseFilter that should not (?) be triggered. As explained above it seems the file the user wanted to import contains a text revision that is empty (0 bytes). Since we are validating all old text revisions plus the new wikitext the user possibly edited these can all potentially trigger AbuseFilter. We might need to rethink this and only trigger the AbuseFilter hook for the latest text revision, but not for the historical ones.

I create a follow up task for the issue uncovered here T213409. The un-escaped html should be fixed and will be live when the deployment is finished today.

WMDE-Fisch closed this task as Resolved.Feb 22 2019, 12:22 PM

I just randomly came to this ticket. The issue is fixed and importing the above mentioned file should work now.

https://mr.wikipedia.org/wiki/%E0%A4%9A%E0%A4%BF%E0%A4%A4%E0%A5%8D%E0%A4%B0:Sabudana.jpg