Page MenuHomePhabricator
Create Task
Maniphest T395291

Checkuser: Double quotation marks in user names break the summary table
Closed, DuplicatePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Check a the IP actions associated with a user with the name Foo "Bar" Baz in Special:Checkuser

What happens?:
The summary table displays the left most column as Foo and links to [[Special:Contributions/Foo]]. It affects the copy-paste version as well.

What should have happened instead?:
The summary table displays the left most column as Foo "Bar" Baz and links to [[Special:Contributions/Foo "Bar" Baz]].

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
checkuser: Escape special chars from usernames used as a data atributemediawiki/extensions/CheckUsermaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Izno created this task.May 27 2025, 12:46 AM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptMay 27 2025, 12:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Izno updated the task description. (Show Details)May 27 2025, 12:46 AM
Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).May 27 2025, 3:02 PM
hector.arroyo subscribed.May 28 2025, 8:09 AM
hector.arroyo changed the task status from Open to In Progress.May 28 2025, 2:45 PM
hector.arroyo claimed this task.
hector.arroyo moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
gerritbot added a comment.May 28 2025, 4:45 PM

Change #1151752 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/CheckUser@master] checkuser: Escape special chars from usernames used as a data atribute

https://gerrit.wikimedia.org/r/1151752

gerritbot added a project: Patch-For-Review.May 28 2025, 4:45 PM
Dreamy_Jazz mentioned this in T394693: CVE-2025-53479: Special:CheckUser has i18n XSS vectors.May 28 2025, 6:03 PM
gerritbot added a comment.May 28 2025, 9:42 PM

Change #1151752 abandoned by Dreamy Jazz:

[mediawiki/extensions/CheckUser@master] checkuser: Escape special chars from usernames used as a data atribute

Reason:

Done through 9762a58f5e604a9a050d640cd0b8ea9bec3afbe8

https://gerrit.wikimedia.org/r/1151752

Dreamy_Jazz subscribed.May 28 2025, 9:45 PM

After the merge of the security patch 9762a58f5e604a9a050d640cd0b8ea9bec3afbe8, I'm not able to reproduce this bug anymore (shown below). @Izno can you see if this still occurs for you?

image.png (180×957 px, 15 KB)

Izno closed this task as a duplicate of T394693: CVE-2025-53479: Special:CheckUser has i18n XSS vectors.May 28 2025, 9:46 PM
Izno added a comment.May 28 2025, 9:49 PM

I don't have a dev set up of any sort. I can look whenever this is live since it looks like the patches weren't backported, since I found this via an actual case onwiki.

Dreamy_Jazz added a comment.May 28 2025, 9:51 PM
In T395291#10866014, @Izno wrote:

I don't have a dev set up of any sort. I can look whenever this is live since it looks like the patches weren't backported, since I found this via an actual case onwiki.

They should have been per T394693#10837273 as of May 19.

Izno reopened this task as Open.EditedMay 28 2025, 10:03 PM

Then no, I just checked and this isn't resolved. This log entry is the relevant one if you have one or another relevant scripts to jump to that one (21:48, 28 May 2025 UTC)

Maintenance_bot removed a project: Patch-For-Review.May 28 2025, 10:30 PM
Dreamy_Jazz added a comment.May 28 2025, 11:24 PM
In T395291#10866068, @Izno wrote:

Then no, I just checked and this isn't resolved. This log entry is the relevant one if you have one or another relevant scripts to jump to that one (21:48, 28 May 2025 UTC)

Can you check this again? I think I've fixed the issue with this not applying to production and have tested that the example you gave now works again.

Izno closed this task as Resolved.May 28 2025, 11:47 PM

Looks good now.

Dreamy_Jazz closed this task as a duplicate of T394693: CVE-2025-53479: Special:CheckUser has i18n XSS vectors.May 28 2025, 11:53 PM
hector.arroyo moved this task from In Progress to Done on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.May 29 2025, 9:51 AM
hector.arroyo moved this task from Inbox to Engineering on the Trust and Safety Product Team board.May 30 2025, 9:13 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits