Page MenuHomePhabricator
Create Task
Maniphest T206486

Special:ImportFile is not escaped message, showing tags as plain text
Closed, ResolvedPublic
Actions

Description

Steps of reproduction

Expected

File Should be Imported at commons

Actual Result

Firefox_Screenshot_2018-10-08T18-47-05.026Z.png (2×1 px, 826 KB)

Log First Time

<table cellpadding="4" cellspacing="4" style="border:3px solid #CC0000;; background-color:#FFFFF8; width:100%;" class="plainlinks"> <tr> <td style="text-align:center;width:80px"><img alt="Dialog-warning.svg" src="https://upload.wikimedia.org/wikipedia/commons/thumb/6/6e/Dialog-warning.svg/70px-Dialog-warning.svg.png" width="70" height="70" srcset="https://upload.wikimedia.org/wikipedia/commons/thumb/6/6e/Dialog-warning.svg/105px-Dialog-warning.svg.png 1.5x, https://upload.wikimedia.org/wikipedia/commons/thumb/6/6e/Dialog-warning.svg/140px-Dialog-warning.svg.png 2x" data-file-width="48" data-file-height="48" /><small> </td> <td style="font-size:90%"> <h2><span id="Don.27t_blank_pages"></span><span class="mw-headline" id="Don't_blank_pages"><small><b> Don't blank pages </b></small></span></h2> <p>This action has been automatically identified as a potential problem and has been prevented from being saved. </p> <h3><span class="mw-headline" id="Deletion">Deletion</span></h3> <dl><dd><i>Further information: <a href="/wiki/Commons:Deletion_policy#Speedy_deletion" title="Commons:Deletion policy">Commons:Deletion policy#Speedy deletion</a></i></dd></dl> <p>If you meant for the page to be <b>deleted</b>, blanking is not the right way to do this as blank pages will cause technical problems&#160;! </p><p><b>Please use "<code>{{<a href="/wiki/Template:Badname" class="mw-redirect" title="Template:Badname">Badname</a>&#124;type good new here}}</code>"</b> if the category has been moved to a better name, so that the other users are informed about the new name. <b>Please use "<code>{{<a href="/wiki/Template:Speedy" class="mw-redirect" title="Template:Speedy">speedy</a>&#124; <i>type reason here</i> }}</code>"</b> and add it on top of the page you would like to have deleted. This way it will be placed on a special list that <a href="/wiki/Commons:Administrators" title="Commons:Administrators">administrators</a> check regularly for deletion. Without this it might take a long time before it's noticed or it would be forgotten about. </p><p><br /> </p> <h3><span id="Redirecting_.2F_moving_.2F_renaming"></span><span class="mw-headline" id="Redirecting_/_moving_/_renaming">Redirecting / moving / renaming</span></h3> <p><b>Categories:</b><br/> If a category should be renamed please propose a move by putting the <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Move" title="Template:Move">Move</a>&#125;&#125;</span> template on the category page. <br/>The Move-template is used when you want to propose to move contents from the current category to a another one. See <a href="/wiki/Template:Move" title="Template:Move">Template:Move</a> for more information.<br/>If this category has been moved but this one should be kept as a redirect use <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Category_redirect" title="Template:Category redirect">Category redirect</a>&#125;&#125;</span>.<br/><code>{{<a href="/wiki/Template:Category_redirect" title="Template:Category redirect">category redirect</a>&#124; <i>Name of target-category</i> (without the "Category:" prefix }}</code> </p><p><br /> </p><p><b>Files:</b><br/> If you recently uploaded a file under a wrong name use the <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Rename" title="Template:Rename">rename</a>&#125;&#125;</span> template.<br/>=&gt; "<code>{{<a href="/wiki/Template:Rename" title="Template:Rename">rename</a>&#124;new filename.jpg&#124; <i>type reason here</i> }}</code>"<br/><br/>If you've already uploaded the correct version of the file, and want to delete this one, use the <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Bad_name" title="Template:Bad name">Bad name</a>&#125;&#125;</span> template.<br/>=&gt; "<code>{{<a href="/wiki/Template:Bad_name" title="Template:Bad name">bad name</a>&#124; Name of the correct file.jpg }}</code>"<br/><br/>If you are not the original uploader of this file but found a duplicate, please tag it with <span style="font-family:monospace, monospace;">&#123;&#123;<a href="/wiki/Template:Duplicate" title="Template:Duplicate">duplicate</a>&#125;&#125;</span><br/>=&gt; "<code>{{<a href="/wiki/Template:Duplicate" title="Template:Duplicate">duplicate</a>&#124; Name of the correct file.jpg }}</code>" </p><p><br /> </p> <hr /> In case you aren't sure what to do, it's best to ask for help at the <a href="/wiki/Commons:Help_desk" title="Commons:Help desk">help desk</a>.<br/><br/><div class="toccolours">In case you were actually making an acceptable contribution, please report this error <a class="external text" href="//commons.wikimedia.org/w/index.php?title=Commons:Abuse_filter/Error_reporting&amp;withJS=MediaWiki:ABFeasySubmit.js">here</a>. Thank you.</div> </td></tr></table>

Log Second time

<table style="width:100%; padding:1px 4px; border:1px solid #bb7070; background:#ffdbdb;"> <tr> <td style="text-align:center; width:60px;"><img alt="Your action has triggered the Abuse Filter" src="https://upload.wikimedia.org/wikipedia/commons/thumb/7/7f/Dialog-error.svg/50px-Dialog-error.svg.png" title="Your action has triggered the Abuse Filter" width="50" height="50" srcset="https://upload.wikimedia.org/wikipedia/commons/thumb/7/7f/Dialog-error.svg/75px-Dialog-error.svg.png 1.5x, https://upload.wikimedia.org/wikipedia/commons/thumb/7/7f/Dialog-error.svg/100px-Dialog-error.svg.png 2x" data-file-width="48" data-file-height="48" /> </td> <td>An automated filter has identified this edit as potentially unconstructive, and it has been disallowed. If this edit is constructive, please <a href="/wiki/Commons:Abuse_filter#False_positives" title="Commons:Abuse filter">report this error</a>. </td></tr></table>

Details

SubjectRepoBranchLines +/-
Fix double escaped HTML when triggering AbuseFiltermediawiki/extensions/FileImportermaster+48 -3
Customize query in gerrit

Related Objects

Event Timeline

Jayprakash12345 created this task.Oct 8 2018, 7:01 PM
Restricted Application added a project: User-Jayprakash12345. · View Herald TranscriptOct 8 2018, 7:01 PM
Jayprakash12345 removed a project: User-Jayprakash12345.Oct 8 2018, 7:03 PM
Jayprakash12345 updated the task description. (Show Details)Oct 9 2018, 3:31 AM
Lea_WMDE moved this task from Backlog to Tickets in preparation/investigation on the Move-Files-To-Commons board.Dec 4 2018, 11:57 AM
Lea_WMDE subscribed.

Thanks for this really nice ticket!

Lea_WMDE added a comment.Dec 4 2018, 1:36 PM

We did not manage to reproduce the issue anymore. Could you recheck again? Thank you!

Pikne subscribed.Dec 11 2018, 11:20 AM

Regretfully I can reproduce this. To trigger page blanking filter on Commons (filter 4) you need an account that has less than 200 edits and that isn't in "autopatrol" user group. It seems to be triggered because first revision is empty. I don't know if this is FileImporter's problem or rather a problem of this particular filter. Displaying raw HTML of course is another issue.

Lea_WMDE added a project: WMDE-QWERTY-X-Mas-Sprint-2018-12-18.Dec 18 2018, 12:40 PM
WMDE-Fisch claimed this task.Jan 7 2019, 1:07 PM
WMDE-Fisch moved this task from Backlog to Doing on the WMDE-QWERTY-X-Mas-Sprint-2018-12-18 board.
gerritbot subscribed.Jan 7 2019, 1:24 PM

Change 482635 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@master] Fix double escaped HTML when triggering AbuseFilter

https://gerrit.wikimedia.org/r/482635

gerritbot added a project: Patch-For-Review.Jan 7 2019, 1:24 PM
thiemowmde mentioned this in rEFLIc2118da71ba7: Fix double escaped HTML when triggering AbuseFilter.Jan 7 2019, 1:27 PM
WMDE-Fisch reassigned this task from WMDE-Fisch to thiemowmde.Jan 7 2019, 1:38 PM
WMDE-Fisch subscribed.

:-)

WMDE-Fisch moved this task from Doing to Review on the WMDE-QWERTY-X-Mas-Sprint-2018-12-18 board.Jan 7 2019, 1:38 PM
thiemowmde added a comment.Jan 7 2019, 1:52 PM

Note the patch https://gerrit.wikimedia.org/r/482635 does not fully solve this issue. The patch only solves the bad HTML escaping. I was not yet able to fully reproduce the issue with the AbuseFilter that should not (?) be triggered. As explained above it seems the file the user wanted to import contains a text revision that is empty (0 bytes). Since we are validating all old text revisions plus the new wikitext the user possibly edited these can all potentially trigger AbuseFilter. We might need to rethink this and only trigger the AbuseFilter hook for the latest text revision, but not for the historical ones.

thiemowmde mentioned this in rEFLI4e3b735f1668: Fix double escaped HTML when triggering AbuseFilter.Jan 7 2019, 2:40 PM
gerritbot added a comment.Jan 7 2019, 4:22 PM

Change 482635 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@master] Fix double escaped HTML when triggering AbuseFilter

https://gerrit.wikimedia.org/r/482635

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.12; 2019-01-08).Jan 7 2019, 5:00 PM
WMDE-Fisch mentioned this in T213409: Improve/Dispose AbuseFilter checks on old text revisions.Jan 10 2019, 11:06 AM
WMDE-Fisch moved this task from Review to Demo on the WMDE-QWERTY-X-Mas-Sprint-2018-12-18 board.Jan 10 2019, 11:10 AM
In T206486#4859005, @thiemowmde wrote:

Note the patch https://gerrit.wikimedia.org/r/482635 does not fully solve this issue. The patch only solves the bad HTML escaping. I was not yet able to fully reproduce the issue with the AbuseFilter that should not (?) be triggered. As explained above it seems the file the user wanted to import contains a text revision that is empty (0 bytes). Since we are validating all old text revisions plus the new wikitext the user possibly edited these can all potentially trigger AbuseFilter. We might need to rethink this and only trigger the AbuseFilter hook for the latest text revision, but not for the historical ones.

I create a follow up task for the issue uncovered here T213409. The un-escaped html should be fixed and will be live when the deployment is finished today.

WMDE-Fisch closed this task as Resolved.Feb 22 2019, 12:22 PM

I just randomly came to this ticket. The issue is fixed and importing the above mentioned file should work now.

https://mr.wikipedia.org/wiki/%E0%A4%9A%E0%A4%BF%E0%A4%A4%E0%A5%8D%E0%A4%B0:Sabudana.jpg

jijiki mentioned this in rEFLI4b3b6655abd1: Fix double escaped HTML when triggering AbuseFilter.Mar 18 2019, 4:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL