Page MenuHomePhabricator
Create Task
Maniphest T394492

MobileFrontend should not use raw HTML messages
Open, MediumPublic
Actions

Description

These seem to be the last remaining uses of raw HTML i18n messages in Wikimedia production:

  • mobile-frontend-editor-editing-page
  • mobile-frontend-editor-previewing-page
  • mobile-frontend-editor-summary
  • mobile-frontend-editor-summary-request
  • mobile-frontend-editor-wait

(codesearch)

Not exactly a security issue because they are listed in $wgRawHtmlMessages which makes them hard to edit, but we are trying to eliminate the attack vector entirely. At a glance it doesn't look like there's much reason for these to be raw HTML anyway.

Related Objects
Search...

Event Timeline

Tgr created this task.May 16 2025, 10:32 AM
Restricted Application added subscribers: jhsoby, Aklapper. · View Herald TranscriptMay 16 2025, 10:32 AM
Tgr mentioned this in T2212: Some MediaWiki: messages not safe in HTML (tracking).May 16 2025, 10:38 AM
A_smart_kitten added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).May 16 2025, 10:39 AM
bwang added a project: Web-Team.May 19 2025, 4:30 PM
Jdlrobson-WMF triaged this task as Medium priority.May 19 2025, 5:35 PM
Jdlrobson-WMF moved this task from Incoming to Freezer on the Web-Team board.
Jdlrobson-WMF subscribed.

Need to review these messages.

SomeRandomDeveloper subscribed.Aug 1 2025, 9:01 PM

mobile-frontend-editor-editing-page and mobile-frontend-editor-previewing-page could be parsed with jQueryMsg (mw.message(...).parse()), the other three don't appear to use any HTML/formatting. The only issue may be local wiki overwrites.

Jdlrobson-WMF edited projects, added Reader Growth Team; removed Web-Team.Aug 20 2025, 11:14 PM
Jdlrobson-WMF moved this task from Incoming/Inbox to Backlog on the Reader Growth Team board.Aug 28 2025, 2:53 PM
Jdlrobson-WMF moved this task from Untriaged to MobileFrontend (Editor) on the MobileFrontend board.Sep 10 2025, 10:44 PM
Jdlrobson-WMF edited projects, added MobileFrontend (MobileFrontend (Editor)); removed MobileFrontend.
Jdlrobson-WMF edited projects, added VisualEditor; removed Reader Growth Team.

This relates to the editor.

DLynch removed a project: VisualEditor.Sep 10 2025, 11:13 PM
DLynch subscribed.

This doesn't seem to have anything to do with the VisualEditor on mobile. All these messages are related to the non-2017 source editor that MobileFrontend implemented.

Jdlrobson-WMF moved this task from Backlog to Triaged on the MobileFrontend (MobileFrontend (Editor)) board.Oct 9 2025, 4:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits