Page MenuHomePhabricator
Create Task
Maniphest T210603

Wikitext with HTML elements can mess the conflict resolution interface up
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

While investigating the user report from https://www.mediawiki.org/wiki/Topic:Upao2tuc1nk398ll, I accidentally found a possible HTML injection vector in the extension. We accidentally used rawElement instead of element in one place. The HTML that can be injected this way can not contain JavaScript, because it was already sanitized via the parser. But it can still mess up the conflict resolution interface.

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/TwoColConflictwmf/1.33.0-wmf.6+19 -8Fix unescaped HTML injected into conflict resolution interface
mediawiki/extensions/TwoColConflictmaster+19 -8Fix unescaped HTML injected into conflict resolution interface
Customize query in gerrit

Related Objects

Event Timeline

thiemowmde created this task.Nov 28 2018, 1:28 PM
gerritbot added a subscriber: gerritbot.Nov 28 2018, 1:29 PM

Change 476263 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476263

gerritbot added a project: Patch-For-Review.Nov 28 2018, 1:29 PM
thiemowmde triaged this task as High priority.Nov 28 2018, 1:29 PM
thiemowmde moved this task from Sprint Backlog to Review on the WMDE-QWERTY-Sprint-2018-11-20 board.
thiemowmde mentioned this in rESCCda5b4930bcca: Fix unescaped HTML injected into conflict resolution interface.Nov 28 2018, 1:31 PM
thiemowmde mentioned this in rESCC44a45653a183: Fix unescaped HTML injected into conflict resolution interface.Nov 28 2018, 2:15 PM
WMDE-Fisch mentioned this in rESCCcafc0cb16890: Fix unescaped HTML injected into conflict resolution interface.Nov 28 2018, 3:05 PM
WMDE-Fisch set the point value for this task to 2.Nov 28 2018, 3:22 PM
gerritbot added a comment.Nov 28 2018, 3:28 PM

Change 476263 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@master] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476263

WMDE-Fisch moved this task from Review to Demo on the WMDE-QWERTY-Sprint-2018-11-20 board.Nov 28 2018, 3:33 PM

Demo:
Before that patch, reverting a part of text including HTML would break the interface. Can still be reproduced on production.

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.8; 2018-12-11).Nov 28 2018, 4:00 PM
WMDE-Fisch changed the point value for this task from 2 to 3.Nov 28 2018, 4:18 PM

Backport this to wmf.6

gerritbot added a comment.Nov 28 2018, 4:19 PM

Change 476300 had a related patch set uploaded (by WMDE-Fisch; owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476300

WMDE-Fisch mentioned this in rESCCacb5d9837a5d: Fix unescaped HTML injected into conflict resolution interface.Nov 28 2018, 4:21 PM
Lea_WMDE moved this task from Backlog to Tickets ready for pickup on the Two-Column-Edit-Conflict-Merge board.Nov 28 2018, 4:22 PM
WMDE-Fisch moved this task from Tickets ready for pickup to Tickets in sprint on the Two-Column-Edit-Conflict-Merge board.Nov 28 2018, 4:22 PM
WMDE-Fisch added a comment.Nov 29 2018, 7:55 AM

SWAT booked for today 1 PM UTC+1 https://wikitech.wikimedia.org/w/index.php?title=Deployments&type=revision&diff=1809822&oldid=1809798

gerritbot added a comment.Nov 29 2018, 12:38 PM

Change 476300 merged by jenkins-bot:
[mediawiki/extensions/TwoColConflict@wmf/1.33.0-wmf.6] Fix unescaped HTML injected into conflict resolution interface

https://gerrit.wikimedia.org/r/476300

WMDE-Fisch added a comment.Nov 29 2018, 12:50 PM

Live now on all wmf.6 wikis ( big wikipedia deploy will follow when train is finished today )

ReleaseTaggerBot edited projects, added MW-1.33-notes (1.33.0-wmf.6; 2018-11-27); removed MW-1.33-notes (1.33.0-wmf.8; 2018-12-11).Nov 29 2018, 1:00 PM
Lea_WMDE closed this task as Resolved.Dec 3 2018, 10:30 AM
Lea_WMDE moved this task from Demo to Done on the WMDE-QWERTY-Sprint-2018-11-20 board.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL