Many MediaWiki: messages are still used as raw HTML output. Strict XML parsing by user agents would make
it very difficult for a sysop modifying them through the wiki to recover from an error which creates invalid
output -- the entire wiki interface can be broken.
Messages should be converted to either plaintext (via htmlspecialchars()) or wikitext which will go through
normalization. (This is an ongoing effort.)
@Nemo_bis: If an end ("task resolved") can ever be clearly defined: epic. If not: tracking. I think the latter.
Changed title from "Many" to "Some". A quick unscientific audit (prepending some inline JS to each message string in en.json) hasn't found many raw HTML messages at all. There are probably very few raw HTML messages remaining, I'll file tasks for any I come across and mark them "easy".
T85864 found hundreds just on the extensions enabled at translatewiki.net. There are probably hundreds more.
This is a core task, my comment was referring to core only. My apologies for any confusion.
Dear author @brion, it's prefer to (request to) create tasks instead of opening tracking tasks which are nowadays nonsense under any circumstances.
Should we convert this old-decaded tracking task to a project? Or just archive this task?
One message containing raw html is "MediaWiki:Mobile-frontend-editor-anonwarning". After a discussion on svwiki, I changed the wording of that message locally, i.e. on svwiki and not as a general change on Translatewiki, and while I was at it, I replaced the html with wikitext. It turns out that message is still not possible to edit for others than interface admins. Is that expected behaviour? If so, what have I missed?
It's not necessary, but not bad either. You were able to edit it because you're interface admin on svwiki, and that's why you couldn't edit it on translatewiki
It turns out that message is still not possible to edit for others than interface admins. Is that expected behaviour? If so, what have I missed?
Yes, and that's why it's not necessary to change them. They are already sort of protected, since very few users can edit them.
There are apparently some conflicting info about this, but that could of course be due to not yet updated pages. So it's correct to say that no system message can be edited locally by others than interface admins?
Not all of them. A subset of them. Like the MediaWiki:Mobile-frontend-editor-anonwarning that you mentioned, normal admins cannot edit it, but they can edit MediaWiki:Mobile-frontend-home-button because the former has extra checks that make sure only interface admins can edit it.
The ones not editable by normal admins are the exception rather than the rule. So you should consider all messages as editable by all admins until you encounter the few non-editable ones. There's no way to know this info from the UI, but you may know when you attempt to edit them without the required permissions.
You may however look them up in the source. The affected messages in core are listed here. Extensions append their own to the array.
There are no more messages in MediaWiki known to be used as raw HTML output. If you discover one, please file a security bug.
This public tracking task was filed in 2004, but since 2018 or so problems of this kind have been treated as security issues, and previously fixed ones can be found under the Vuln-XSS tag (commonly called "i18n XSS" in MediaWiki land).
Apparently you cannot add more subtasks to this task (T394493: Too many relationships of type "task.has-subtask") so I'll just link to the last remaining issue instead: T394492: MobileFrontend should not use raw HTML messages
AFAIK we only treated them as vulnerabilities if the message wasn't listed in $wgRawHtmlMessages.