Page MenuHomePhabricator
Create Task
Maniphest T244691

WikiVoyage nearby articles map layer loads a JS file from toolforge
Closed, InvalidPublic
Actions

Description

On wikivoyage, if you go to a page with a map, and click on layers icon top right, and click "nearby articles" or click on the nearby articles icon in top left, the js will load and execute a script from toolforge (https://tools.wmflabs.org/wikivoyage/w/data/en-articles.js?_=1581320319100 ). The script is basically just data and maintained by wikivoyage community members. (However all the infrastructure around this script is part of the Maps extension, so its not really a gadget)

So beyond the normal complaint of something semi-prod depending on toolforge, it is really unfortunate that this is executing the script instead of just loading it as json data. At the very least could it be changed to be json, so that the people in control of the toolforge account can't arbitrary inject javascript for anyone using this feature?

Related Objects
Search...

Event Timeline

Bawolff created this task.Feb 10 2020, 7:58 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 10 2020, 7:58 AM
Bawolff updated the task description. (Show Details)Feb 10 2020, 8:01 AM
Bawolff added a comment.EditedFeb 10 2020, 8:07 AM

I should of course mention, the ideal case would be if this file was generated by the Maps (or some other extension) directly. If its expensive to generate, maybe make it a cached querypage + an api to get it in the right format [Edit: That won't really work well to load all 23,000 entries at once. I don't know. Generate a static file with a cron script? Split it up so looking at nearby articles doesn't require loading 1.4mb all at once?].

DannyS712 subscribed.Feb 10 2020, 9:18 AM
Masumrezarock100 subscribed.Feb 10 2020, 11:41 AM
sbassett triaged this task as High priority.Feb 10 2020, 4:37 PM
sbassett added a project: Privacy Engineering.
sbassett moved this task from Incoming to Watching on the Security-Team board.
Bawolff added a comment.EditedFeb 10 2020, 8:50 PM

Potentially, it could just use the MW api https://en.wikivoyage.org/w/api.php?action=query&generator=geosearch&ggsradius=20000&ggscoord=37.786971|-122.399677&prop=pageimages|coordinates&ggslimit=max&pilimit=max&colimit=max but the max size of gsradius might be prohibitive.

chasemp added a project: Security.Feb 10 2020, 10:53 PM
Bawolff mentioned this in T239077: Define policy aspects of CSP on wiki.Feb 17 2020, 10:39 AM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
The_RedBurn moved this task from All map-related tasks to Tracking on the Maps board.Mar 4 2020, 7:12 PM
The_RedBurn moved this task from Tracking to All map-related tasks on the Maps board.
JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.Mar 10 2020, 1:11 AM
TheDJ edited projects, added Maps (Kartographer); removed Maps.Mar 10 2020, 12:40 PM
TheDJ moved this task from Unsorted to Wikivoyage on the Maps (Kartographer) board.
TheDJ subscribed.
TheDJ mentioned this in T190069: Low performance for the display of map push-pin markers.Mar 10 2020, 12:50 PM
RolandUnger subscribed.Mar 10 2020, 1:28 PM
RolandUnger added a comment.Mar 10 2020, 1:33 PM

See also https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2020/Wikivoyage/Permanent_update_of_Wikivoyage_nearby-articles_data_files_necessary .

JFishback_WMF moved this task from Intake to Backlog on the Privacy board.Mar 12 2020, 1:07 AM
TheDJ added a parent task: T194088: Wikivoyage should provide non external Nearby articles.Mar 25 2020, 12:50 PM
TheDJ added a subtask: T247600: Create a leaflet geosearch module and publish it.
Krinkle mentioned this in T208197: ContentTranslation relies on recommendation-api running on Cloud VPS.May 14 2020, 1:37 AM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Oct 13 2021, 7:43 PM
TheDJ mentioned this in T90645: A better Nearby for Wikivoyage.Jan 16 2022, 3:30 PM
awight subscribed.Apr 14 2022, 9:41 AM
TheDJ mentioned this in T332785: Remove custom old nearby functionality for Wikivoyage from Kartographer.Mar 22 2023, 2:31 PM
WMDE-Fisch closed this task as Invalid.Feb 26 2024, 1:15 PM
WMDE-Fisch subscribed.

The special WikiVoyage nearby feature got deprecated and the code removed T332785: Remove custom old nearby functionality for Wikivoyage from Kartographer. So this ticket should be invalid now.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits