Page MenuHomePhabricator

Copy as wikitext functionality trusts the client and is tightly bound to the client output
Open, Needs TriagePublic


The "copy as wikitext" functionality that was added in T251361 relies on VisualEditor to convert the HTML from the client's browser into Wikitext for use on other wikis. This is problematic for two reasons:

  1. This mechanism trusts that the client's HTML is correct and is not malicious or contains sensitive information. For instance, if the user has a browser plugin that modifies the HTML for that user (and perhaps includes sensitive information) that information will be converted into Wikitext and the user may share it unknowingly.
  2. Likewise, trusting the HTML from the client means we are trusting that it is in a state that is expected. The code sanitizes the input on the client, but does not account for unknown gadgets, user scripts, or browser plugins that may modify the HTML input. This could result in bugs that are difficult to reproduce and may not even appear for that user (i.e. they may only appear for other users who see the wikitext later).

Normally in this instance it might be acceptable to trust the client, but since the output is deterministic (i.e. two users should be able to copy the same investigation and get the same wikitext) and intended to be shared it seems somewhat risky. In the case of VisualEditor, trusting the client's input is part of the intention of it's use and is being used for content the client themselves generated (not deterministic).

Proposed Solution
Use the PHP version of Parsoid that is included in MediaWiki core to convert the HTML that is generated on the server into Wikitext before sending everything to the client.

Alternatively, we could generate the Wikitext manually (on the server, or with the data from the client), but since Parsoid is available, it seems like the more sensible option to use it.

Event Timeline

@dbarratt I understand the concerns here but I am inclined to mark this task as low priority because we are introducing a brand new special page and I very much doubt there are (or will be anytime soon) any gadgets or plugins that modify the page. Given the time crunch we have right now we should focus on delivering the core features and in the future we can come back to this as a maintenance task.