Page MenuHomePhabricator
Create Task
Maniphest T401987

Consider deprecating/removing the xslt option from the action api
Closed, ResolvedPublic
Actions

Description

The api has an xslt option to append a stylesheet.

I suspect i am the only one who ever used it (i made a script once where if you double clicked a word it would open wiktionary api in an iframe with xslt to show a pretty version of the word https://en.wiktionary.org/w/api.php?action=parse&format=xml&xslt=MediaWiki%3AextractFirst.xsl&prop=text&page=word&lang=en&count=1&showWord=none&audio=none&redirects=on obviously this no longer works due to x-frame-options )

Modern browsers wont load the stylesheet. I think due to x-content-options: nosniff. So the feature really does nothing and is impossible to use.

Additionally browsers are talking about killing xslt in general https://github.com/whatwg/html/issues/11523

All signs suggest we should just kill this feature

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Disable xslt option by defaultmediawiki/coreREL1_39+40 -26
SECURITY: Disable xslt option by defaultmediawiki/coreREL1_45+40 -26
SECURITY: Disable xslt option by defaultmediawiki/coreREL1_44+40 -26
ActionApi: Remove the xslt optionmediawiki/coreREL1_45+9 K -0
SECURITY: Disable xslt option by defaultmediawiki/coreREL1_43+40 -26
SECURITY: Disable xslt option by defaultmediawiki/coreREL1_43+37 -0
ActionApi: Remove the xslt optionmediawiki/coremaster+2 -53
ActionApi: Remove the xslt optionmediawiki/corewmf/1.46.0-wmf.3+2 -53
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT395470 Drop deprecated phpunit.php and suite.xml
 OpenNoneT403199 Formally EOL MW 1.39
Restricted Task
Restricted Task
 ResolvedAtienoT401987 Consider deprecating/removing the xslt option from the action api
Restricted Task

Event Timeline

Bawolff created this task.Aug 15 2025, 8:39 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2025, 8:39 AM
Alien333 subscribed.Aug 15 2025, 12:29 PM
Aklapper edited projects, added Technical-Debt, MediaWiki-Action-API; removed API Platform.Aug 15 2025, 2:08 PM
Maintenance_bot added a project: MW-Interfaces-Team.Aug 15 2025, 2:30 PM
Atieno subscribed.Aug 15 2025, 9:08 PM

Acknowledging request and adding it to our backlog for prioritization

Atieno moved this task from Incoming (Needs Triage) to Backlog (Triaged and Ready) on the MW-Interfaces-Team board.Aug 15 2025, 9:13 PM
sbassett subscribed.Sep 2 2025, 9:49 PM
In T401987#11090905, @Atieno wrote:

Acknowledging request and adding it to our backlog for prioritization

See also: T401995

sbassett added a comment.Oct 20 2025, 4:34 PM
In T401987#11090905, @Atieno wrote:

Acknowledging request and adding it to our backlog for prioritization

Hey @Atieno - any update on this? Thanks.

Atieno added a comment.Nov 11 2025, 2:36 PM

Hi @sbassett We have it in our backlog but we've never really looked into it. Will align this with the team on if we can prioritize

Atieno claimed this task.Nov 11 2025, 2:39 PM
Atieno triaged this task as High priority.
Atieno added a project: Vuln-XSS.Nov 11 2025, 2:59 PM
Atieno added a comment.Nov 11 2025, 4:55 PM

@sbassett I'm working on this..

Atieno moved this task from Backlog (Triaged and Ready) to MWI-Sprint-22 (2025-11-04 to 2025-11-18) on the MW-Interfaces-Team board.Nov 11 2025, 5:00 PM
Atieno edited projects, added MW-Interfaces-Team (MWI-Sprint-22 (2025-11-04 to 2025-11-18)); removed MW-Interfaces-Team.
Atieno moved this task from Committed to In Progress on the MW-Interfaces-Team (MWI-Sprint-22 (2025-11-04 to 2025-11-18)) board.
gerritbot added a comment.Nov 11 2025, 5:11 PM

Change #1203865 had a related patch set uploaded (by Atieno; author: Atieno):

[mediawiki/core@master] ActionApi: Remove the xslt option

https://gerrit.wikimedia.org/r/1203865

gerritbot added a project: Patch-For-Review.Nov 11 2025, 5:11 PM
Atieno moved this task from In Progress to Code Review on the MW-Interfaces-Team (MWI-Sprint-22 (2025-11-04 to 2025-11-18)) board.Nov 11 2025, 6:06 PM
daniel subscribed.EditedNov 12 2025, 10:02 AM

According to turnilo we are getting a couple of hundred requests per day with the xslt= parameter set. All for action=parse, from various IPs with UA strings that look like browsers. That suggests a Gadget.

EDIT: it uses https://en.wiktionary.org/wiki/MediaWiki:ExtractFirst.xsl which exists on several .wikis

Bawolff added a comment.Nov 12 2025, 11:53 AM
In T401987#11365587, @daniel wrote:

According to turnilo we are getting a couple of hundred requests per day with the xslt= parameter set. All for action=parse, from various IPs with UA strings that look like browsers. That suggests a Gadget.

EDIT: it uses https://en.wiktionary.org/wiki/MediaWiki:ExtractFirst.xsl which exists on several .wikis

That's my gadget - https://en.wikinews.org/wiki/Wikinews:JavaScript#Wiktionary_lookup_gadget_.28Hover_box_variety.29

However, it looks like this is already broken due to the recently added CSP policy to the API which blocks XSLT, even when directly viewed. The gadget loads the page in an iframe, so has been broken by X-Frame-options header probably for like a decade at this point.

And of course it will all break when https://developer.chrome.com/docs/web-platform/deprecating-xslt goes through.

HCoplin-WMF subscribed.Nov 12 2025, 2:01 PM

If this is the only gadget using it, I have minimal concerns about removing it. I suggest that we announce the change is coming and give it a soak period of a week or two before actually removing it, though. Based on the description (and the fact that the gadget calling it has seemingly been broken for a while, haha), it doesn't seem like it is terribly urgent.

I'm also chiming in on the other ticket (https://phabricator.wikimedia.org/T401995) about having comms about it, even if we don't have a full/official deprecation cycle for it.

Reedy subscribed.Nov 12 2025, 4:27 PM
In T401987#11365587, @daniel wrote:

According to turnilo we are getting a couple of hundred requests per day with the xslt= parameter set. All for action=parse, from various IPs with UA strings that look like browsers. That suggests a Gadget.

reedy@deploy2002:/srv/mediawiki-staging$ mwgrep "xslt="
enwikinews          MediaWiki:Gadget-dictionaryLookupHover.js
eswiktionary        MediaWiki:Gadget-dictionaryLookupHover.js
fawiki              MediaWiki:Gadget-dictionaryLookupHover.js
frwiki              MediaWiki:Gadget-dictionaryLookupHover.js
pswiki              MediaWiki:Gadget-dictionaryLookupHover.js
shnwikinews         MediaWiki:Gadget-dictionaryLookupHover.js
shnwiktionary       MediaWiki:Lookup.js
srwikinews          MediaWiki:Gadget-dictionaryLookupHover.js
tawiki              MediaWiki:Gadget-Wiktionarylookup.js
tawikisource        MediaWiki:Gadget-dictLookup.js
vecwiki             MediaWiki:Gadget-dictionaryLookupHover.js

(total: {'value': 11, 'relation': 'eq'}, shown: 11)
SomeRandomDeveloper subscribed.Nov 12 2025, 10:23 PM
A_smart_kitten subscribed.Sun, Nov 16, 8:12 PM
HCoplin-WMF edited projects, added MW-Interfaces-Team (MWI-Sprint-23 (2025-11-18 to 2025-12-02)); removed MW-Interfaces-Team (MWI-Sprint-22 (2025-11-04 to 2025-11-18)).Tue, Nov 18, 3:58 PM
HCoplin-WMF moved this task from Committed to Code Review on the MW-Interfaces-Team (MWI-Sprint-23 (2025-11-18 to 2025-12-02)) board.
gerritbot added a comment.Thu, Nov 20, 12:48 PM

Change #1207846 had a related patch set uploaded (by Atieno; author: SomeRandomDeveloper):

[mediawiki/core@REL1_44] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1207846

gerritbot added a comment.Thu, Nov 20, 12:53 PM

Change #1207847 had a related patch set uploaded (by Atieno; author: SomeRandomDeveloper):

[mediawiki/core@REL1_43] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1207847

gerritbot added a comment.Thu, Nov 20, 10:24 PM

Change #1208021 had a related patch set uploaded (by SBassett; author: Atieno):

[mediawiki/core@wmf/1.46.0-wmf.3] ActionApi: Remove the xslt option

https://gerrit.wikimedia.org/r/1208021

gerritbot added a comment.Thu, Nov 20, 10:43 PM

Change #1208021 merged by jenkins-bot:

[mediawiki/core@wmf/1.46.0-wmf.3] ActionApi: Remove the xslt option

https://gerrit.wikimedia.org/r/1208021

Stashbot added a comment.Thu, Nov 20, 10:43 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-20T22:43:28Z] <sbassett@deploy2002> Started scap sync-world: Backport for [[gerrit:1208021|ActionApi: Remove the xslt option (T401987 T401995)]]

gerritbot added a comment.Thu, Nov 20, 11:08 PM

Change #1203865 merged by jenkins-bot:

[mediawiki/core@master] ActionApi: Remove the xslt option

https://gerrit.wikimedia.org/r/1203865

Stashbot added a comment.Thu, Nov 20, 11:19 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-20T23:19:38Z] <sbassett@deploy2002> sbassett: Backport for [[gerrit:1208021|ActionApi: Remove the xslt option (T401987 T401995)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

gerritbot added a comment.Thu, Nov 20, 11:28 PM

Change #1208036 had a related patch set uploaded (by SBassett; author: Atieno):

[mediawiki/core@REL1_45] ActionApi: Remove the xslt option

https://gerrit.wikimedia.org/r/1208036

Stashbot added a comment.Thu, Nov 20, 11:32 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-20T23:32:46Z] <sbassett@deploy2002> Finished scap sync-world: Backport for [[gerrit:1208021|ActionApi: Remove the xslt option (T401987 T401995)]] (duration: 49m 18s)

sbassett added a comment.Thu, Nov 20, 11:35 PM

Update

  1. The hard deprecation xslt patch is now merged on master, 1.46.0-wmf.3 (and deployed to Wikimedia production). There's also a currently-conflicted version of the patch up for review for REL1_45.
  2. The softer xslt deprecation patch is also now up for review for REL1_44 and REL1_43.
gerritbot added a comment.Thu, Nov 20, 11:37 PM

Change #1208038 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/core@REL1_43] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1208038

SomeRandomDeveloper added a comment.Thu, Nov 20, 11:39 PM
In T401987#11394556, @gerritbot wrote:

Change #1208038 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/core@REL1_43] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1208038

I've used the cherry pick button in gerrit to properly cherry pick this so it's properly linked to the REL1_44 patch (and because it was easier than updating the other gerrit changeset, which contained an old version of the patch)

Bugreporter2 awarded a token.Fri, Nov 21, 10:46 AM
gerritbot added a comment.Fri, Nov 21, 10:48 AM

Change #1207847 abandoned by Atieno:

[mediawiki/core@REL1_43] SECURITY: Disable xslt option by default

Reason:

Abandoned for https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1208038

https://gerrit.wikimedia.org/r/1207847

gerritbot added a comment.Fri, Nov 21, 11:05 AM

Change #1208038 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1208038

gerritbot added a comment.Fri, Nov 21, 2:52 PM

Change #1208364 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@REL1_39] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1208364

gerritbot added a comment.Fri, Nov 21, 2:55 PM

Change #1208036 abandoned by SBassett:

[mediawiki/core@REL1_45] ActionApi: Remove the xslt option

Reason:

In favor of using Icbc3fa9e4

https://gerrit.wikimedia.org/r/1208036

gerritbot added a comment.Fri, Nov 21, 2:56 PM

Change #1208368 had a related patch set uploaded (by SBassett; author: SomeRandomDeveloper):

[mediawiki/core@REL1_45] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1208368

Atieno added a comment.Mon, Nov 24, 7:10 AM

Hello all this is ready for merge REL1_44

gerritbot added a comment.Mon, Nov 24, 3:34 PM

Change #1207846 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1207846

gerritbot added a comment.Mon, Nov 24, 9:43 PM

Change #1208368 merged by jenkins-bot:

[mediawiki/core@REL1_45] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1208368

gerritbot added a comment.Tue, Nov 25, 3:55 AM

Change #1208364 merged by jenkins-bot:

[mediawiki/core@REL1_39] SECURITY: Disable xslt option by default

https://gerrit.wikimedia.org/r/1208364

Maintenance_bot removed a project: Patch-For-Review.Tue, Nov 25, 4:31 AM
sbassett closed this task as Resolved.Tue, Nov 25, 3:26 PM

Just scanning over https://gerrit.wikimedia.org/r/q/T401987, it looks like all of the backports have landed? And the hard deprecation is on master and in Wikimedia production, ready for 1.46 when it gets cut. So I think we can at least tentatively resolve this for now.

Reedy added a subtask: Restricted Task.Mon, Dec 8, 6:09 PM
Reedy added a parent task: Restricted Task.
Reedy closed subtask Restricted Task as Resolved.Mon, Dec 8, 7:23 PM
Reedy added a subscriber: gerritbot.Tue, Dec 9, 9:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits