Remove or escape HTML code in the EXIF when uploading files (Currently uploading is not possible)
Closed, DuplicatePublic
Actions

Assigned To

None

Authored By

	AlexisJazz
	Dec 29 2018, 10:21 PM

Description

"This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information."

When trying to upload https://www.flickr.com/photos/tinto/30943950124/in/album-72157669026712053/.

Reason (I think):

Iptc.Application2.Caption                    String    164  Website: <a href="http://joergschubert.de/" rel="nofollow">tinto|graphy</a> // instagram: <a href="http://instagram.com/tintography" rel="nofollow">@tintography</a>
Xmp.dc.description                           LangAlt     1  lang="x-default" Website: <a href="http://joergschubert.de/" rel="nofollow">tinto|graphy</a> // instagram: <a href="http://instagram.com/tintography" rel="nofollow">@tintography</a>

Mediawiki~~/UploadWizard~~ should just remove or escape the offending html.

Related Objects

Mentioned In: T27707: Allow "html" in exif tags

Event Timeline

AlexisJazz created this task.Dec 29 2018, 10:21 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 29 2018, 10:21 PM

AlexisJazz updated the task description. (Show Details)Dec 29 2018, 10:22 PM

Peachey88 added projects: MediaWiki-Uploading, UploadWizard.Dec 29 2018, 10:48 PM

Restricted Application added a project: Multimedia. · View Herald TranscriptDec 29 2018, 10:48 PM

@AlexisJazz: ~~Please include clear steps to reproduce. Which of the many available ways to upload files did you use exactly?~~

Edit: Ah, I assume the "MediaWiki/UploadWizard" in the last line implies that.

Aklapper renamed this task from Can't upload files with HTML code in the EXIF to Remove or escape HTML code in the EXIF when uploading files (Currently uploading is not possible).Dec 30 2018, 11:38 AM

Shreyasminocha claimed this task.Dec 30 2018, 12:03 PM

Shreyasminocha triaged this task as High priority.Dec 30 2018, 12:06 PM

In T212693#4845910, @Aklapper wrote:

@AlexisJazz: ~~Please include clear steps to reproduce. Which of the many available ways to upload files did you use exactly?~~

Edit: Ah, I assume the "MediaWiki/UploadWizard" in the last line implies that.

https://commons.wikimedia.org/w/index.php?title=Commons:Village_pump/Technical&oldid=332791738#file_contains_HTML_or_script_code

Crosswiki upload, https://en.wikipedia.org/wiki/Special:Upload, UploadWizard, https://commons.wikimedia.org/wiki/Special:Upload (both by uploading the file and uploading from URL) and https://tools.wmflabs.org/flickr2commons/#/photo/30943950124 all spit the same error.

https://nl.wikipedia.org/wiki/Speciaal:Uploaden spits the same error, but in Dutch. ;-)

AlexisJazz updated the task description. (Show Details)Dec 30 2018, 12:34 PM

[Line number 517 of includes/upload/UploadBase.php in mediawiki/core](https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/master/includes/upload/UploadBase.php#517) as well as surrounding lines seem to be relevant.

PHP's not my strong suit, sorry.

Shreyasminocha removed a project: UploadWizard.Dec 30 2018, 12:54 PM

@Aklapper @Shreyasminocha can't you just remove line 1332 ("'<a href',") from UploadBase.php? Is that Internet Explorer bug still a thing? Otherwise can you check if it's part of the EXIF and ignore it if that's the case?

zhuyifei1999 closed this task as a duplicate of T27707: Allow "html" in exif tags.Dec 31 2018, 5:48 AM

AlexisJazz mentioned this in T27707: Allow "html" in exif tags.Dec 31 2018, 3:18 PM

Remove or escape HTML code in the EXIF when uploading files (Currently uploading is not possible)Closed, DuplicatePublicActions

Description

Related Objects

Event Timeline

Remove or escape HTML code in the EXIF when uploading files (Currently uploading is not possible)
Closed, DuplicatePublic
Actions