Page MenuHomePhabricator

'addurl' does not catch urls entered in "<a href" tags
Closed, InvalidPublic

Description


Version: unspecified
Severity: major

Details

Reference
bz29094

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 21 2014, 11:26 PM
bzimport set Reference to bz29094.
bzimport added a subscriber: Unknown Object (MLST).
Duke33 created this task.May 22 2011, 6:13 PM

The confirmedit extension is not catching urls that are added to pages within html tags. If a user enters a url within an "<a" tag for example, the captcha will not trigger.

Bumping priority since this could invite abuse.

I cannot reproduce this (on enwikinews).

It doesn't look like wikinews' sanitizer allows "a" tags to be entered. The wiki on which this was found, does allow "a" tags. Is there a wikimedia foundation installation out there somewhere that would allow them, where we could test?

(In reply to comment #4)

It doesn't look like wikinews' sanitizer allows "a" tags to be entered. The
wiki on which this was found, does allow "a" tags. Is there a wikimedia
foundation installation out there somewhere that would allow them, where we
could test?

I thought you meant adding a <a> tag without it being interpreted.

I didn't think it was possible to configure mediawiki to allow <a> tags (Not counting if you enable $wgRawHtml, but if you have that on, and are worried about spam, you have _much_ bigger problems).

Can you describe exactly how the wiki in question is configured to allow <a> tags?

Note, guessing that your wiki is http://tmbw.net (based on your name), it looks as if most of the sanitizer code has been disabled, which has significant security implications...

As for the actual bug, since MediaWiki is not designed to allow <a> tags, I'm not sure if its a bug that the extension doesn't work with <a> tags.

brion added a comment.May 24 2011, 9:11 PM

Resolving INVALID -- the wiki being discussed appears to have disabled all of MediaWiki's security protections and is emitting unsanitized HTML. This allows cross-site scripting attacks of all sorts and is not something that MediaWiki allows, recommends, or supports.

Restricted Application added a subscriber: Florian. · View Herald TranscriptJan 28 2016, 6:04 PM