As a MediaWiki power user, I expect that I can use safe mode (?safemode=1 in the URL, or user preference) to be protected from any potential malicious on-wiki content that’s under the control of the interface admins. However, raw HTML messages are currently not affected by safe mode, so they can still let an interface admin attack a user who is using safe mode. I propose that in safe mode we should try to make raw HTML messages safe, e.g. by running them through the sanitizer, or by not using the on-wiki messages at all (and falling back to the JSON files). This should probably be implemented in Message, checking whether the message key is in $wgRawHtmlMessages.
Steps to reproduce on your local wiki (preferably don’t try this out on any public wiki):
- In LocalSettings.php, set $wgRightsPage, $wgRightsUrl and/or $wgRightsText to nonempty strings, so that a copyright message will be shown
- Load a page with ?uselang=qqx to see which copyright message is being shown (default copyright, but may be e.g. wikimedia-copyright if WikimediaMessages is installed)
- Override that message in the MediaWiki namespace to include something like <span onmouseover="alert('hi!')">Hover me for an alert!</span>
- Load a page with ?safemode=1 and hover over that text in the copyright footer
Expected result: no effect. Actual result: alert is shown.