Page MenuHomePhabricator
Create Task
Maniphest T396486

Application Security Review Request: Wikifunctions rich text (HTML) output
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
Wikifunctions allows user-written Functions to be embedded in pages through a wikitext parser function, and thus provide static content. This is currently limited to plain text (outputting a LiteralStringPFragment to Parsoid).

Description of how the tool will be used at WMF:
We wish to extend this feature to also be able to output HTML (outputting an HtmlPFragment to Parsoid). The content will only be used as HTML after passing through MediaWiki's Sanitizer.php (and thus Remex).

Dependencies

List dependencies, or upstream projects that this project relies on.

  • Parsoid
  • MediaWiki Sanitizer
  • Remex

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

Working test environment

Please link or describe setup process for setting up a test environment.

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Related Objects
Search...

Event Timeline

Jdforrester-WMF created this task.Jun 10 2025, 2:21 PM
sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Jun 10 2025, 4:41 PM
Jdforrester-WMF moved this task from To Triage to Product Backlog on the Abstract Wikipedia team board.Jun 11 2025, 3:36 PM
DSantamaria moved this task from Product Backlog to 26Q1 (Jul–Sep) on the Abstract Wikipedia team board.Jun 19 2025, 8:15 AM
DSantamaria edited projects, added Abstract Wikipedia team (26Q1 (Jul–Sep)); removed Abstract Wikipedia team.
Jdforrester-WMF added a parent task: T397402: If we enable Wikifunctions to output HTML tables, styling, and links, we will demonstrate through a Function that displays a conjugation table its capability for generating net new knowledge on Wiktionaries beyond simple conversions..Jul 8 2025, 1:33 PM
Jdforrester-WMF moved this task from Incoming to Ready on the Abstract Wikipedia team (26Q1 (Jul–Sep)) board.Jul 8 2025, 1:39 PM
sbassett changed the task status from Open to In Progress.Jul 8 2025, 3:22 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
DSantamaria moved this task from Ready to In Engineering on the Abstract Wikipedia team (26Q1 (Jul–Sep)) board.Jul 8 2025, 4:23 PM
Jdforrester-WMF added a project: OKR-Work.Jul 10 2025, 4:09 PM
ldelench_wmf subscribed.Jul 18 2025, 6:13 PM
sbassett added a comment.Aug 12 2025, 3:56 PM

Hey all - just wanted to check in and see how the relevant code was progressing here. Thanks.

Jdforrester-WMF added a comment.Aug 25 2025, 5:50 PM
In T396486#11078876, @sbassett wrote:

Hey all - just wanted to check in and see how the relevant code was progressing here. Thanks.

Hi Scott, sorry for the delay. The relevant code (T398987) is just landing now. I've added some very simple top-level instructions to the extension's README, but Geno has a more detailed document for using and testing the system.

sbassett added a comment.Aug 26 2025, 2:02 PM
In T396486#11116202, @Jdforrester-WMF wrote:

Hi Scott, sorry for the delay. The relevant code (T398987) is just landing now. I've added some very simple top-level instructions to the extension's README, but Geno has a more detailed document for using and testing the system.

Ok, thanks. I'll probably start looking at this later this week or early next week.

EMill-WMF subscribed.Sep 12 2025, 3:39 AM
sbassett added a comment.EditedOct 3 2025, 10:34 PM

Update: I am giving this an initial risk rating of low as WikifunctionsPFragmentSanitiserTokenHandler.php looks perfectly reasonable to me on its face. I do want to spend a little more time trying to break it, but I'm fairly certain I won't find any serious issues.

sbassett moved this task from In Progress to Waiting on the secscrum board.Oct 7 2025, 3:44 PM
Jdforrester-WMF edited projects, added Abstract Wikipedia team (26Q2 (Oct–Dec)); removed Abstract Wikipedia team (26Q1 (Jul–Sep)).Oct 9 2025, 3:18 PM
Jdforrester-WMF moved this task from Incoming to In Code review on the Abstract Wikipedia team (26Q2 (Oct–Dec)) board.Oct 16 2025, 2:07 PM
sbassett closed this task as Resolved.Oct 17 2025, 3:19 PM
sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
Jdforrester-WMF reopened this task as In Progress.Nov 20 2025, 5:26 PM
Jdforrester-WMF moved this task from In Code review to Needs Sign-off on the Abstract Wikipedia team (26Q2 (Oct–Dec)) board.
Jdforrester-WMF closed this task as Resolved.Dec 2 2025, 4:06 PM

Sorry, the trigger re-opened this automatically when moving the task. Have removed the trigger.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits