Page MenuHomePhabricator
Create Task
Maniphest T250313

Wikilabels does not show the exact wikitext on diff: it parses <ref>s as HTML
Closed, ResolvedPublicSecurity
Actions

Description

When the edit
https://pt.wikipedia.org/w/index.php?diff=45776266
appeared for review at
https://labels.wmflabs.org/ui/ptwiki/
the diff displayed a paragraph like this:

O 13 voltouO 13 voltou, ''[http://espn.uol.com.br/noticia/585508_apos-cuidar-da-saude-do-pai-filho-de-zagallo-retorna-para-virar-tecnico-o-13-voltou]'', ESPN, 17 de março de 2016

However, as you can see at
https://pt.wikipedia.org/w/index.php?title=Paulo_Zagallo&action=edit&oldid=45776266
the actual wikitext for this paragraph is

O 13 voltou<ref>O 13 voltou, ''[http://espn.uol.com.br/noticia/585508_apos-cuidar-da-saude-do-pai-filho-de-zagallo-retorna-para-virar-tecnico-o-13-voltou]'', ESPN, 17 de março de 2016</ref>

I believe it should keep the <ref> tag, but it seems to be parsing it as HTML, which results in it not being visible in the Browser (but it is present in the source HTML, when I inspect it).

This seems to be a source for XSS, since if the page was created with the content

<script>alert('test');</script>

(or some malicious script), the JavaScript code would likely be executed (if not, feel free to remove the security tags from this report).

Event Timeline

He7d3r created this task.Apr 15 2020, 7:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 15 2020, 7:23 PM
Reedy added projects: Wikilabels, Machine-Learning-Team.Apr 15 2020, 7:33 PM
He7d3r added a comment.EditedApr 15 2020, 7:35 PM

I believe the relevant code is this:
https://github.com/wikimedia/wikilabels/blob/f2d9d28b5a20211a2ae1bcf3fa79fc1bdd9e84c4/wikilabels/wsgi/static/js/wikiLabels/api.js#L136-L160
The revision content is passed directly to the function below:

API.creationDiff = function ( content ) {
  return '<tr>\n' +
      '<td colspan="2" class="diff-lineno">Line 1:</td>\n' +
      '<td colspan="2" class="diff-lineno">Line 1:</td>\n' +
    '</tr>\n' +
    '<tr>\n' +
      '<td colspan="2" class="diff-empty">&#160;</td>\n' +
      '<td class="diff-marker">+</td>\n' +
      '<td class="diff-addedline"><div>' + content + '</div></td>' +
    '</tr>';
};

and this may cause it to be parsed as HTML.

Halfak added a comment.Apr 15 2020, 8:08 PM

https://github.com/wikimedia/wikilabels/pull/262

He7d3r updated the task description. (Show Details)Apr 15 2020, 9:00 PM
Halfak closed this task as Resolved.Apr 15 2020, 9:21 PM
Halfak claimed this task.
Halfak edited projects, added Machine-Learning-Team (Active Tasks); removed Machine-Learning-Team.
Halfak moved this task from Parked to Completed on the Machine-Learning-Team (Active Tasks) board.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Apr 17 2020, 2:04 AM
sbassett subscribed.

@Halfak @He7d3r - anything left to be done before making this task public?

Halfak added a comment.Apr 17 2020, 2:34 PM

Yup it can be made public.

sbassett triaged this task as Medium priority.Apr 20 2020, 2:02 AM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL