Page MenuHomePhabricator

WikiVoyage nearby articles map layer loads a JS file from toolforge
Open, HighPublic

Description

On wikivoyage, if you go to a page with a map, and click on layers icon top right, and click "nearby articles" or click on the nearby articles icon in top left, the js will load and execute a script from toolforge (https://tools.wmflabs.org/wikivoyage/w/data/en-articles.js?_=1581320319100 ). The script is basically just data and maintained by wikivoyage community members. (However all the infrastructure around this script is part of the Maps extension, so its not really a gadget)

So beyond the normal complaint of something semi-prod depending on toolforge, it is really unfortunate that this is executing the script instead of just loading it as json data. At the very least could it be changed to be json, so that the people in control of the toolforge account can't arbitrary inject javascript for anyone using this feature?

Event Timeline

I should of course mention, the ideal case would be if this file was generated by the Maps (or some other extension) directly. If its expensive to generate, maybe make it a cached querypage + an api to get it in the right format [Edit: That won't really work well to load all 23,000 entries at once. I don't know. Generate a static file with a cron script? Split it up so looking at nearby articles doesn't require loading 1.4mb all at once?].

sbassett added a project: Privacy Engineering.
sbassett moved this task from Incoming to Watching on the Security-Team board.
TheDJ moved this task from Unsorted to Wikivoyage on the Maps (Kartographer) board.
TheDJ added a subscriber: TheDJ.