Page MenuHomePhabricator

Remove or escape HTML code in the EXIF when uploading files (Currently uploading is not possible)
Closed, DuplicatePublic

Description

"This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information."

When trying to upload https://www.flickr.com/photos/tinto/30943950124/in/album-72157669026712053/.

Reason (I think):

Iptc.Application2.Caption                    String    164  Website: <a href="http://joergschubert.de/" rel="nofollow">tinto|graphy</a> // instagram: <a href="http://instagram.com/tintography" rel="nofollow">@tintography</a>
Xmp.dc.description                           LangAlt     1  lang="x-default" Website: <a href="http://joergschubert.de/" rel="nofollow">tinto|graphy</a> // instagram: <a href="http://instagram.com/tintography" rel="nofollow">@tintography</a>

Mediawiki/UploadWizard should just remove or escape the offending html.

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 29 2018, 10:21 PM
AlexisJazz updated the task description. (Show Details)Dec 29 2018, 10:22 PM
Restricted Application added a project: Multimedia. · View Herald TranscriptDec 29 2018, 10:48 PM
Aklapper added a comment.EditedDec 29 2018, 10:56 PM

@AlexisJazz: Please include clear steps to reproduce. Which of the many available ways to upload files did you use exactly?

Edit: Ah, I assume the "MediaWiki/UploadWizard" in the last line implies that.

Aklapper renamed this task from Can't upload files with HTML code in the EXIF to Remove or escape HTML code in the EXIF when uploading files (Currently uploading is not possible).Dec 30 2018, 11:38 AM
Shreyasminocha triaged this task as High priority.Dec 30 2018, 12:06 PM
AlexisJazz added a comment.EditedDec 30 2018, 12:21 PM

@AlexisJazz: Please include clear steps to reproduce. Which of the many available ways to upload files did you use exactly?
Edit: Ah, I assume the "MediaWiki/UploadWizard" in the last line implies that.

https://commons.wikimedia.org/w/index.php?title=Commons:Village_pump/Technical&oldid=332791738#file_contains_HTML_or_script_code

Crosswiki upload, https://en.wikipedia.org/wiki/Special:Upload, UploadWizard, https://commons.wikimedia.org/wiki/Special:Upload (both by uploading the file and uploading from URL) and https://tools.wmflabs.org/flickr2commons/#/photo/30943950124 all spit the same error.

https://nl.wikipedia.org/wiki/Speciaal:Uploaden spits the same error, but in Dutch. ;-)

AlexisJazz updated the task description. (Show Details)Dec 30 2018, 12:34 PM
Shreyasminocha removed Shreyasminocha as the assignee of this task.Dec 30 2018, 12:52 PM
Shreyasminocha added a subscriber: Shreyasminocha.

PHP's not my strong suit, sorry.

@Aklapper @Shreyasminocha can't you just remove line 1332 ("'<a href',") from UploadBase.php? Is that Internet Explorer bug still a thing? Otherwise can you check if it's part of the EXIF and ignore it if that's the case?