Page MenuHomePhabricator
Create Task
Maniphest T389943

MediaWiki:Privacypage and MediaWiki:Disclaimerpage don't accept external links
Open, Needs TriagePublic
Actions

Description

I discovered this while making a patch for T389939.

Steps to replicate the issue (include links if applicable):

  • Create the page [[MediaWiki:Privacypage]] with the content https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy (or any other URL, doesn't really matter)
  • Press the "Privacy policy" link at the bottom left of your wiki

What happens?:
The link doesn't, as expected, go to https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy, but to a page on your wiki: https://localhost:8080/wiki/Https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy.

What should have happened instead?:
Like links in the sidebar, the footer links should accept both internal links (page names) and external links. It is not inconceivable that someone who runs a wiki (like, say, the Wikimedia Foundation) has their privacy policy on an off-wiki page somewhere.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Introduce Special:InLanguagemediawiki/coremaster+344 -206
Enable external links in footer linksmediawiki/coremaster+34 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

jhsoby created this task.Mar 25 2025, 12:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 25 2025, 12:45 PM
jhsoby added a parent task: T389939: Wikimedia footer links that use Special:MyLanguage should also use `?uselang=`.Mar 25 2025, 12:46 PM
jhsoby edited projects, added MediaWiki-User-Interface; removed MediaWiki-General.Mar 25 2025, 12:48 PM
gerritbot added a comment.Mar 25 2025, 1:53 PM

Change #1131012 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/core@master] Enable external links in footer links

https://gerrit.wikimedia.org/r/1131012

gerritbot added a project: Patch-For-Review.Mar 25 2025, 1:53 PM
jhsoby changed the subtype of this task from "Bug Report" to "Task".Mar 25 2025, 1:58 PM
Pppery added a project: MediaWiki-Internationalization.Aug 8 2025, 4:43 PM
Bugreporter2 awarded a token.Oct 12 2025, 11:13 AM
Jdlrobson-WMF subscribed.Oct 17 2025, 11:11 PM

@jhsoby the code of conduct gets around this by providing https://en.wikipedia.org/wiki/MediaWiki:Wm-codeofconduct for the label and https://en.wikipedia.org/wiki/MediaWiki:Wm-codeofconduct-url for the URL.

https://en.wikipedia.org/wiki/MediaWiki:Privacypage is also an interwiki link foundation:Special:MyLanguage/Policy:Privacy policy. I understand T389939: Wikimedia footer links that use Special:MyLanguage should also use `?uselang=` exists but I feel like we can address that separately.

I think allowing an arbitary external URL (even with the security checks you've put in place) seems a bit risky to me and would prefer we create an optional -url suffixed message here if we can to avoid adding additional complexity to an already complex component.

Am I missing something that means this wouldn't work?

gerritbot added a comment.Nov 11 2025, 2:29 AM

Change #1203584 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/core@master] Introduce Special:PageInLanguage

https://gerrit.wikimedia.org/r/1203584

Jdlrobson-WMF added a project: Readers Essential Work 2025 (Legal footer).Thu, Jan 29, 4:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits