Page MenuHomePhabricator
Create Task
Maniphest T219138

TemplateStyles CSS appears in notification text
Closed, ResolvedPublic
Actions

Assigned To
matmarex
Authored By
TerraCodes
Mar 25 2019, 12:00 PM
Tags
Referenced Files
F34947061: Screen Shot 2022-02-09 at 4.56.12 PM.png
Feb 10 2022, 7:57 PM
F29860559: templatestyles-echo-email.png
Jul 24 2019, 11:39 AM
F28463616: image.png
Mar 25 2019, 12:00 PM
Subscribers
Aklapper
AlexisJazz
Base
Etonkovidova
Izno
kostajh
Liuxinyu970226
View All 14 Subscribers

Description

image.png (177×727 px, 29 KB)
(see the text in the middle of the image)

Details

SubjectRepoBranchLines +/-
Use Sanitizer::stripAllTags() when generating notification snippetsmediawiki/extensions/DiscussionToolsmaster+598 -596
Customize query in gerrit

Related Objects
Search...

Event Timeline

TerraCodes created this task.Mar 25 2019, 12:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 25 2019, 12:00 PM
TerraCodes added projects: TemplateStyles, Notifications.Mar 25 2019, 12:01 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptMar 25 2019, 12:01 PM
TerraCodes updated the task description. (Show Details)Mar 25 2019, 12:01 PM
Anomie moved this task from Backlog to External on the TemplateStyles board.Mar 25 2019, 1:43 PM
Izno merged a task: T219973: CSS code of templatestyles displayed in notification..Apr 3 2019, 11:12 AM
Izno added subscribers: Xiplus, Liuxinyu970226.
Tgr added a project: RemexHtml.Apr 3 2019, 5:35 PM
Tgr subscribed.

I think this is a bug in RemexStripTagHandler (called via EchoMentionPresentationModel::getBodyMessage() -> EchoDiscussionParser::getTextSnippet() -> Sanitizer::stripAllTags()) which IMO tends to be used as a rough equivalent of Element.innerText and should behave somewhat along those lines (specifically, hidden elements should be ignored).

SBisson mentioned this in W2269 Echo Tasks.Apr 17 2019, 3:00 PM
SBisson merged a task: T222350: Notification about new reply on my talk page displays some code, if reply starts with template.May 2 2019, 10:35 AM
SBisson added subscribers: MBH, Base.
Tgr added a comment.Jul 24 2019, 11:39 AM

Even more pronounced in emails:

templatestyles-echo-email.png (278×638 px, 36 KB)

Tgr mentioned this in T228856: RemexStripTagHandler should strip <style> contents.Jul 24 2019, 11:46 AM
Tgr added a subtask: T228856: RemexStripTagHandler should strip <style> contents.
Tgr removed a project: RemexHtml.
In T219138#5082483, @Tgr wrote:

I think this is a bug in RemexStripTagHandler

Maybe not bug as such, but poor DX. Made that a separate task: T228856: RemexStripTagHandler should strip <style> contents

matmarex subscribed.Mar 8 2020, 10:46 AM
Izno subscribed.Feb 15 2021, 8:04 AM
MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 6:51 PM
Dylsss merged a task: T293429: CSS in the summary of a mention when creating a page with {{RFCSubpage}} on Wikidata.Oct 15 2021, 1:32 AM
Dylsss added a subscriber: AlexisJazz.
matmarex closed this task as Resolved.Dec 24 2021, 12:11 AM
matmarex closed subtask T228856: RemexStripTagHandler should strip <style> contents as Resolved.
matmarex added a project: MW-1.38-notes (1.38.0-wmf.16; 2022-01-03).

Presumably resolved via the subtask! I'm assuming you're not planning formal QA for this task, so I'll just close it.

Tgr mentioned this in T301436: [wmf.20] thwiki - Special:Notifications display markup for Welcome message.Feb 10 2022, 1:36 AM
Izno unsubscribed.Feb 10 2022, 7:49 PM
Izno subscribed.
Tgr reopened this task as Open.EditedFeb 10 2022, 7:55 PM
Tgr merged a task: T301436: [wmf.20] thwiki - Special:Notifications display markup for Welcome message.
Tgr added subscribers: Etonkovidova, Sgs, kostajh, mewoph.

Apparently still happening.

Screen Shot 2022-02-09 at 4.56.12 PM.png (740×2 px, 179 KB)

matmarex added a project: DiscussionTools.Feb 10 2022, 8:16 PM

It looks like you've fixed the bug for notification snippets generated by Echo (we should confirm it's definitely fixed), but we have a similar bug in DiscussionTools.

Code here generates snippets for topic subscriptions and some user talk page notifications (but not for mentions): https://github.com/wikimedia/mediawiki-extensions-DiscussionTools/blob/master/includes/Notifications/EventDispatcher.php#L211

And we have tests that actually confirm that content from <style> tags is included:

Tgr added a comment.Feb 10 2022, 8:42 PM

I think that method is fine, EchoEditUserTalkPresentationModel::getBodyMessage() should sanitize the text snippet like EchoMentionPresentationModel::getBodyMessage() does. We should probably review all the presentation models to make sure they do that.

matmarex added a comment.Feb 10 2022, 8:45 PM

DiscussionTools only stores the plain text in the notification data, so that's too late. (Echo stores wikitext there.)

matmarex claimed this task.Feb 10 2022, 8:47 PM
gerritbot added a comment.Feb 10 2022, 8:57 PM

Change 761719 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/DiscussionTools@master] Use Sanitizer::stripAllTags() when generating notification snippets

https://gerrit.wikimedia.org/r/761719

gerritbot added a project: Patch-For-Review.Feb 10 2022, 8:57 PM
TheDJ subscribed.EditedFeb 10 2022, 9:01 PM

Right, so same issue. DiscussionTools unwraped the HTML using XML DOM somewhere, and gets the textContent, and does this BEFORE passing it to Echo. As XML DOM doesn't know of Html specifics, it gets the textContents of style and script tags, which textContent on an html element does not do.

Tgr added a comment.Feb 10 2022, 9:08 PM

The following classes override EchoEventPresentationModel::getBodyMessage():

  • EchoEditUserTalkPresentationModel: needs fix
  • EchoEmailUserPresentationModel: body generated from plaintext email so no issue
  • EchoForeignPresentationModel: no free text
  • EchoMentionInSummaryPresentationModel: uses Sanitizer::stripAllTags()
  • EchoMentionPresentationModel: uses EchoDiscussionParser::getTextSnippet() which uses Sanitizer::stripAllTags()
  • EchoRevertedPresentationModel: uses EchoDiscussionParser::getTextSnippetFromSummary() which uses Sanitizer::stripAllTags()
  • EchoUserRightsPresentationModel: uses EchoDiscussionParser::getTextSnippet()
  • EchoWatchlistChangePresentationModel: no free text

These are the core ones, there is plenty more in extensions.

Two unrelated remarks:

  • many events show a summary (e.g. edit summary, log summary) in the notification body. It seems inconsistent whether that gets (partially) parsed via Linker::formatComment() or treated as plaintext.
  • EchoFlyoutFormatter, EchoHtmlEmailFormatter and EchoPlainTextEmailFormatter calls $echoEventPresentationModel->getBodyMessage()->parse(). SpecialNotificationsFormatter calls $echoEventPresentationModel->getBodyMessage()->escaped(). That can't be good.
Tgr added a comment.Feb 10 2022, 9:23 PM
In T219138#7702401, @TheDJ wrote:

As XML DOM doesn't know of Html specifics, it gets the textContents of style and script tags, which textContent on an html element does not do.

textContent always returns all tag content. innerText doesn't but that method's specific to the HTML DOM (and Dodo has apparently not implemented it).

Tgr added a comment.Feb 10 2022, 10:19 PM
In T219138#7702358, @matmarex wrote:

DiscussionTools only stores the plain text in the notification data, so that's too late. (Echo stores wikitext there.)

Echo apparently also stores plaintext (parsed and stripped wikitext) - the events are generated in EchoDiscussionParser::generateEventsForRevision() which calls to EchoDiscussionParser::detectSectionTitleAndText() which uses getTextSnippet(). So once similar logic is added in DiscussionTools we should be good.

MBH unsubscribed.Feb 11 2022, 4:06 AM
ppelberg moved this task from Backlog to Triaged on the DiscussionTools board.Feb 24 2022, 4:26 PM
gerritbot added a comment.Mar 28 2022, 10:42 PM

Change 761719 merged by jenkins-bot:

[mediawiki/extensions/DiscussionTools@master] Use Sanitizer::stripAllTags() when generating notification snippets

https://gerrit.wikimedia.org/r/761719

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.5; 2022-03-28).Mar 28 2022, 11:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 28 2022, 11:10 PM
matmarex closed this task as Resolved.Mar 29 2022, 9:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL