Hi and welcome @Bharatkhatri351! Please see https://www.mediawiki.org/wiki/How_to_become_a_MediaWiki_hacker#Communication_tips_and_guidelines - Thanks a lot! :)

In T270542#7607613, @Ammarpad wrote:

This is now intentionally and explicitly allowed only in wikitext content model for security reasons cf. r26087d4. Whether it worked before or never did there's no point in keeping this open.

I can see that preload= was potentially dangerous in .js and .css pages in the User namespace, but that commit has disabled it in all non-wikitext pages, which breaks legitimate uses of preload= in the Module namespace. On English Wiktionary, Template:zh-dial displays dialectal synonyms of a Chinese word that are loaded from a data module. When the data module doesn't exist, it links to the data module with preload=Module:zh/data/dial-syn to load a template containing the full list of Chinese dialect codes: Module:zh/data/dial-syn. As of a few days ago, the link from the template no longer loads the data module template as it used to.

The author and reviewers of the commit apparently didn't look for legitimate use-cases before disabling preload= in non-wikitext pages. They should perhaps only have disabled preload= in the User namespace (perhaps also MediaWiki?) in JavaScript and CSS (and JSON?) pages, where the security concerns apply. From my perspective, the change landed without notice (at least I didn't see any in Tech News), and broke a feature of a template that editors of Chinese entries regularly use.

I'm inclined to start a ticket to enable preload= in the Module namespace, where it is definitely useful and was being used before the commit. (It might be fine to enable it in some other non-wikitext pages, like sanitized CSS and non-User-namespace JavaScript and CSS and JSON pages, but I don't know of any uses for preloading there.) In the meantime I can write some JavaScript to make Template:zh-dial work as intended.

I think it's poor that it wasn't in User-notice

The author and reviewers of the commit apparently didn't look for legitimate use-cases […]

Being an active Wikipedia volunteer since 2004 I can assure you, I did.

They should perhaps only have disabled preload= in the User namespace (perhaps also MediaWiki?) […]

Yea, see? Can you guarantee these are the only combinations that can cause security issues?

When the data module doesn't exist, it links to the data module with preload=Module:zh/data/dial-syn […]

… which injects arbitrary code, which can potentially be a security issue.

Maybe I misunderstand the use-case. How is it intended to work? How often does it happen? When I look at https://en.wiktionary.org/wiki/Special:RecentChangesLinked/Module:zh/data/dial-syn there was not a single sub-page created the past 30 days.

I see I forgot to include it here - my original use case was likely https://meta.wikimedia.org/wiki/User:DannyS712/ScriptBuilder.js - once the text of a user script is generated, it should be possible to click to preload that as the contents of the script page, instead of needing to copy and paste manually

In T270542#7608091, @thiemowmde wrote:

The author and reviewers of the commit apparently didn't look for legitimate use-cases […]

Being an active Wikipedia volunteer since 2004 I can assure you, I did.

Sorry. I was annoyed and I hadn't seen the Phabricator task where the commit was introduced. At least the commit didn't mention the uses on English Wiktionary.

When the data module doesn't exist, it links to the data module with preload=Module:zh/data/dial-syn […]

… which injects arbitrary code, which can potentially be a security issue.

Well, perhaps, but the conditions for code injection are more stringent than with some user JS and CSS pages, and the results are less dangerous. A module has to be invoked with {{#invoke:}} or required with require "Module:name". Code preloaded in a module page and then saved could be executed if a page somewhere had {{#invoke:newly created module|any function name}} or a module had require "Module:newly created module" in it. So it's dependent on other pages invoking or requiring the module you just created. That's fairly unlikely because invoking a nonexistent module results in a module error, and requiring does if you don't wrap the requiring in pcall or xpcall. Generally on Wiktionary we clean up module errors outside of User and User talk namespaces quickly, so there would not be many pages invoking or requiring the newly created module. And module code can only generate wikitext. Some malicious things that I can think of for a module to do would be generating nonsense text, drastically changing the interpretation of wikitext around the module invocation, or causing module errors.

Whereas JavaScript entered in a not-yet-created Special:MyPage/common.js will execute immediately after you save, or even if you just click Preview. And JavaScript can do a lot more than create wikitext.

Maybe I misunderstand the use-case. How is it intended to work? How often does it happen? When I look at https://en.wiktionary.org/wiki/Special:RecentChangesLinked/Module:zh/data/dial-syn there was not a single sub-page created the past 30 days.

I'm not sure why you're not seeing them in Special:RecentChangesLinked (I'm seeing edits at least), but this database query shows the latest created Chinese dialectal synonym modules, which would have been created using the Create the data page link that is displayed by {{zh-dial|Chinese word without a Module:zh/data/dial-syn submodule}}. The most recent is from today.

In T270542#7608091, @thiemowmde wrote:

When the data module doesn't exist, it links to the data module with preload=Module:zh/data/dial-syn […]

… which injects arbitrary code, which can potentially be a security issue.

I don't believe running arbitrary Lua code is a security issue in any context because it's sandboxed. The system is intentionally designed to be resilient/resistant to malicious Lua code.