Page MenuHomePhabricator
Create Task
Maniphest T394020

VisualEditor (Citoid) bypasses the Spamblacklist by specifying a port (e.g. 443)
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue

  • blacklist an url, e.g. here
  • add the blacklisted source in VisualEditor (Citoid)
    image.png (259×453 px, 11 KB)

What happens?:

What should have happened instead?:

  • The edit should not be allowed: either the port should not be added, or the Spamblacklist should detect URLs with ports (possibly using an equivalence table).

Related Objects

Event Timeline

LD created this task.May 13 2025, 12:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 13 2025, 12:05 PM
LD updated the task description. (Show Details)May 13 2025, 12:07 PM
Alexisdepris added a comment.May 13 2025, 12:11 PM

Exemple : https://www.bfmtv.com:443/economie/replay-emissions/objectif-croissance/

Port 443 shouldn't be there, it's the port for the HTTPS protocol which isn't mandatory and shouldn't be there in principle.

The regex visible on the screen below should block the url encapsulated in it, but because of the port added automatically it completely breaks the mediawiki:spam-blacklist.

This means that the blacklist can be bypassed at any time, the only solution would be to blacklist the entire site, which is not desirable.

Alexisdepris added a comment.May 13 2025, 12:15 PM

What I've also noticed is that the famous port 443 is only added when a final ‘/’ is added at the end of the URL.

When the URL is added without the final ‘/’ the blacklist is triggered.

Ladsgroup subscribed.May 13 2025, 2:02 PM

You should use BlockedExternalDomains (e.g. https://fr.wikipedia.org/wiki/Sp%C3%A9cial:BlockedExternalDomains) which deconstructs links added making it immune to whole category of such issues.

DLynch subscribed.May 13 2025, 2:28 PM

I don't see the :443 being automatically added? If I put https://www.bfmtv.com/economie/replay-emissions/objectif-croissance/ into Citoid, it correctly warns me that it's blocked, rather than adjusting the URL and bypassing that:

CleanShot 2025-05-13 at 09.23.40@2x.png (734×836 px, 115 KB)

As such, it seems like more of a general SpamBlacklist issue -- since the same could be replicated in a pure wikitext edit.

@Ladsgroup mind you, this specific case of "I want to block one page on a given domain that's being used for spam" isn't supported by BlockedExternalDomains...

Alexisdepris added a comment.May 13 2025, 3:00 PM

@Ladsgroup

Using BlockExternalDomain is not a solution in this case.

If we were to add it, it would block Bfmtv completely and that's not desirable in this case. Here, we're blocking part of the site that has been deemed unreliable because it uses Brand Content.

Ladsgroup added a comment.May 13 2025, 3:40 PM

Then my bad. Sorry.

Framawiki subscribed.May 13 2025, 6:40 PM
Jules78120 subscribed.May 14 2025, 5:35 PM
Johannnes89 subscribed.Mar 5 2026, 3:06 PM
cscott mentioned this in T420043: Secure Link Filtering Functionality.Mar 13 2026, 6:58 PM
HakanIST subscribed.Apr 10 2026, 8:12 PM

The regex in SpamBlacklist::getRegexStart() is missing an optional port group. Adding (?::\d+)? after [a-z0-9_\-.]* should fix this.

ppelberg subscribed.Apr 11 2026, 10:55 PM
Mvolz moved this task from Backlog to Extension on the Citoid board.Apr 15 2026, 12:04 PM
Mvolz added a project: VisualEditor-MediaWiki-References.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits