Page MenuHomePhabricator
Create Task
Maniphest T244788

Zotero puts raw JS/CSS code in reference template parameters / both citoid and zotero should validate fields to make sure this doesn't occur
Open, Needs TriagePublic
Actions

Description

On the English Wikipedia, using Citoid on https://www.milliyet.com.tr/gundem/canan-dagdeviren-kimdir-2392696 produces:

{{Cite web|url=https://www.milliyet.com.tr/gundem/canan-dagdeviren-kimdir-239269|title=Canan Dağdeviren kimdir?|last=QuarkPlayer|first=player-inline {display: inline-block;padding-bottom: 56 25%;position: relative;width: 100%;z-index: 5;} player-box {height: 100%;left: 0;position: absolute;top: 0;width: 100%;}$ ready{quarkPlayer = new|last2=bufferLength:5|website=Milliyet|language=tr|access-date=2020-02-10|last3=false|first3=autoPlay:|last4=false|first4=subTitles:|last5=true|first5=showAds:|last6=false|first6=showNotification:|last7=showB|last8=true|first8=widthSelector:|last9=false|first9=customMenu:}}

A new user tried to add this URL as a reference, and the edit was disallowed by Special:AbuseFilter/139 due to the position: absolute.

The $ ready{quarkPlayer = new stuff appears to be coming from a script tag on the page.

Event Timeline

MusikAnimal created this task.Feb 10 2020, 9:25 PM
Restricted Application added subscribers: Liuxinyu970226, Aklapper. · View Herald TranscriptFeb 10 2020, 9:25 PM
MusikAnimal updated the task description. (Show Details)Feb 10 2020, 9:30 PM
Mvolz renamed this task from Citoid puts raw JS/CSS code in reference template parameters to Zotero puts raw JS/CSS code in reference template parameters / both citoid and zotero should validate fields to make sure this doesn't occur.Feb 11 2020, 9:49 AM
Mvolz added a project: acl*security.
Restricted Application added a project: Security. · View Herald TranscriptFeb 11 2020, 9:49 AM
Mvolz moved this task from Backlog to Zotero on the Citoid board.Feb 11 2020, 12:35 PM
Mvolz subscribed.Feb 11 2020, 1:38 PM

Reported two places:
https://github.com/zotero/translation-server/issues/111
https://github.com/zotero/translators/issues/2117

Aklapper added a project: Upstream.Feb 12 2020, 1:11 AM
Aklapper moved this task from Backlog to Reported Upstream on the Upstream board.
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits