Page MenuHomePhabricator
Create Task
Maniphest T207365

URL with % in fragment breaks scripts that use mw.Uri
Closed, DeclinedPublic
Actions

Description

  1. Go to https://en.wikipedia.org/wiki/Wikipedia#% (or any other page with something in the URL fragment that would be invalid as %-encoding).
  2. Try to use Echo or VE.

Instead of step 1 you can also go to a page that has a % sign in a headline, use the TOC to go to that section and reload the page.

Expected: Everything should work as normal.
Actual: Echo and VE will only work via fallback (i.e. Echo will open Special:Notifications, VE will reload the page for editing).
The console is full with errors like URIError: "malformed URI sequence" and TypeError: "defaultUri is undefined", so probably mw.Uri can't parse the URL, and breaks everything that depends on it.

I haven't checked the specs whether a raw % sign is actually allowed in the fragment, but even if it isn't it shouldn't break anything; and if it isn't the parser should not produce such URLs in the TOC.

Details

SubjectRepoBranchLines +/-
web2017-polyfills: Update URL polyfill to latest version with our fixesmediawiki/coremaster+67 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

Schnark created this task.Oct 18 2018, 9:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 18 2018, 9:02 AM
Jdlrobson subscribed.Sep 8 2020, 11:22 PM

Related: T106244

Krinkle subscribed.EditedSep 8 2020, 11:50 PM

Most things categorised under T106244 are invalid under the spec, and never produced by the Parser for the TOC or otherwise.

The bare % case is interesting and afaik not reported previously. The anchor for == % == and and [[#%]] indeed uses plain % currently which suggests that it is valid. I'm not sure why that is rejected currently. Either way, the fix is potentially the same, if resourced, which is to migrate to native URL.

For now though, this should remain a separate task since it isn't a case of garbage-in/garbage-out. Either we need to generate different anchors like we do for other special chars, or we need to support them in mw.Uri.

DannyS712 subscribed.Sep 8 2020, 11:53 PM
matmarex merged tasks: T275799: mw.Uri cannot be called on subpages (TypeError: Cannot read property 'protocol' of undefined), T269948: CentralNotice throws exception on malformed URIs, T268060: Unable to view and navigate images on certain pages in MultimediaViewer: TypeError: Cannot read property 'protocol' of undefined.Feb 25 2021, 5:54 PM
matmarex added a project: Wikimedia-production-error.
matmarex added subscribers: SarthakKundra, matmarex, AndyRussG and 4 others.
Jdlrobson added a project: MediaWiki-User-Interface (active libraries).Feb 25 2021, 6:25 PM
Jdlrobson added a project: Web-Team-Backlog.Feb 25 2021, 7:43 PM
Jdlrobson added a project: MediaWiki-Parser.
ovasileva triaged this task as Medium priority.Mar 2 2021, 10:42 AM
ovasileva moved this task from Incoming to Triaged but Future on the Web-Team-Backlog board.
thcipriani moved this task from Untriaged to Mar 2021 on the Wikimedia-production-error board.Mar 3 2021, 7:54 PM
Krinkle moved this task from Mar 2021 to Older on the Wikimedia-production-error board.Apr 1 2021, 10:25 PM
Jdlrobson moved this task from Triaged but Future to Tracking on the Web-Team-Backlog board.Apr 30 2021, 9:17 PM
Jdlrobson edited projects, added Web-Team-Backlog (Tracking); removed Web-Team-Backlog.
Tgr subscribed.Aug 3 2021, 5:23 AM

That URL is unambiguously invalid. The URL spec restricts valid characters in the fragment to !$&'()*+,-./:;=?@_~, percent-endcoded and (most) non-ASCII.

Jack_who_built_the_house subscribed.Sep 20 2021, 8:20 PM
Jdlrobson moved this task from Untriaged to Untag on the Web-Team-Backlog (Tracking) board.Sep 30 2021, 9:27 PM
LGoto removed a project: Web-Team-Backlog (Tracking).Nov 9 2021, 4:23 PM
Jack_who_built_the_house added a comment.EditedNov 27 2021, 1:50 PM

DiscussionTools also doesn't work on pages with % in the fragment.

Just want to emphasize (if it isn't clear) that bare % fragments imply just any sections that have % in the name, like More than 50% of Wikipedia visits come from mobile devices. It accounts for at least 900 "Talk" namespace pages (regexp search timed out) in English Wikipedia. All of which don't work correctly if you open them by a section link.

Krinkle added a subtask: T103379: Add 'url' module for native URL constructor (with conditionally loaded polyfill).Nov 28 2021, 12:27 AM
Ammarpad mentioned this in T301356: URL Shortener showed "Not a valid URL" with metawiki link that contains "#1%".Feb 9 2022, 4:23 PM
Ammarpad added a parent task: T301356: URL Shortener showed "Not a valid URL" with metawiki link that contains "#1%".
Krinkle removed a parent task: T301356: URL Shortener showed "Not a valid URL" with metawiki link that contains "#1%".Feb 16 2022, 5:30 PM
Krinkle closed subtask T103379: Add 'url' module for native URL constructor (with conditionally loaded polyfill) as Resolved.Mar 2 2022, 5:22 PM
Krinkle reopened subtask T103379: Add 'url' module for native URL constructor (with conditionally loaded polyfill) as Open.Mar 7 2022, 7:09 PM
gerritbot added a comment.Mar 16 2022, 8:10 PM

Change 771445 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/core@master] URL: Update 'url' polyfill to latest version containing our fixes

https://gerrit.wikimedia.org/r/771445

gerritbot added a project: Patch-For-Review.Mar 16 2022, 8:10 PM
gerritbot added a comment.Mar 27 2022, 8:48 PM

Change 771445 merged by jenkins-bot:

[mediawiki/core@master] web2017-polyfills: Update URL polyfill to latest version with our fixes

https://gerrit.wikimedia.org/r/771445

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.5; 2022-03-28).Mar 27 2022, 9:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 27 2022, 9:10 PM
Krinkle renamed this task from URL with % in fragment breaks many scripts to URL with % in fragment breaks scripts that use mw.Uri.Mar 27 2022, 10:21 PM
Krinkle closed subtask T103379: Add 'url' module for native URL constructor (with conditionally loaded polyfill) as Resolved.
Krinkle closed this task as Declined.Mar 27 2022, 10:28 PM
Krinkle removed a project: MediaWiki-Parser.

The root cause is that mw.Uri only supports valid UTF-8 percent encoding in query parameters and hash fragments. Calling it with something else fails. This isn't something we can trivially change without breaking compatibility.

There are also various genuine valid URLs that MediaWiki supports that are not meant to decode as UTF-8 but as a different charset.

Making the problem go away from a central point thus isn't possible, and keeping this as a tracking task is not useful I think.

Individual gadgets and features that do this can either try-catch, as a number of extensions like VisualEditor have done already, or can migrate to the native URL constructor T103379, by depending on web2017-polyfills.

https://developer.mozilla.org/en-US/docs/Web/API/URL

/* https://en.wikipedia.org/wiki/Sandbox?action=edit#foo */

var uri = new mw.Uri(location.href);
uri.fragment; // "foo"
uri.query.action; // "edit"

var uri = new URL(location.href);
uri.hash; // "#foo"
uri.searchParams.get('action'); "edit"
Krinkle mentioned this in T268062: ApiSandbox loadFromHash error prevents interface from loading.Apr 11 2022, 8:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL