Page MenuHomePhabricator
Create Task
Maniphest T407617

The data HTML attribute name can't include the underscore sign anymore
Open, Needs TriagePublicBUG REPORT
Actions

Description

Hi. Very weird situation. I have a code, hundreds of KB, works for years, and this morning there is suddenly a big mess. It took a lot of time to debug it, but here is the minimal example I created.

  1. Open a sandbox.
  2. Put the code
<div data-brbnk="3445">abc</div>
<div data-br_nk="3445">abc</div>
  1. Open a preview.
  2. Click F12 to open the code Inspector.
  3. Find the relevant HTML part in the code.
  4. Expected:
<div data-brbnk="3445">abc</div>
<div data-br_nk="3445">abc</div>

And this was there yesterday for sure.

  1. Got:
<div data-brbnk="3445">abc</div>
<div>abc</div>

There isn't something relevant in the console. Happens on different devices, OSs, browsers, and logged out. I've checked other characters. Looks like the dot doesn't sometimes work too, and the rest do work. Was there any new HTML sanitizer deployed this week? Because if wasn't, it seems to be a problem. I even checked if there isn't any new HTML standard published, to be sure. What is more weird, it's nondeterministic. Sometimes, very rarely, I got the right answer, without any visible reason. So, I can't prove you it happens if you can't reproduce it. I can give you the page I mentioned, when it always happens, but I'm pretty sure it's too complicated to debug this.
Thank you.

image.png (783×1 px, 90 KB)

image.png (775×1 px, 87 KB)

Related Objects

Event Timeline

IKhitron created this task.Oct 17 2025, 11:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 17 2025, 11:13 AM
Lucas_Werkmeister_WMDE mentioned this in T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.Oct 17 2025, 12:29 PM
sbassett subscribed.Oct 17 2025, 2:52 PM

Hello. There is currently a security patch within Wikimedia production which is the cause of these issues, which is all we can really state publicly at this time.

IKhitron added a comment.Oct 17 2025, 2:53 PM
In T407617#11285546, @sbassett wrote:

Hello. There is currently a security patch within Wikimedia production which is the cause of these issues, which is all we can really state publicly at this time.

I see. Thank you.

SomeRandomDeveloper subscribed.Oct 17 2025, 3:30 PM
A_smart_kitten subscribed.Oct 17 2025, 3:37 PM
Alex44019 subscribed.Oct 17 2025, 9:27 PM
gui-ying233 subscribed.Oct 17 2025, 9:31 PM
9304846963 subscribed.Oct 19 2025, 8:45 PM
Trappist_the_monk subscribed.Oct 23 2025, 4:04 PM

A problem that may be related to this issue is discussed at en.wiki (permalink). An editor there has implicated the aforementioned security patch.

Is the problem described at en.wiki associated with the security patch? Is there a patch for the patch?

sbassett added a comment.Oct 23 2025, 7:06 PM
In T407617#11303597, @Trappist_the_monk wrote:

Is the problem described at en.wiki associated with the security patch?

Yes.

Is there a patch for the patch?

No, at least not in Wikimedia production.

Nardog subscribed.Oct 24 2025, 2:19 AM
Nemoralis subscribed.Oct 24 2025, 4:04 PM
NightWolf1223 subscribed.Oct 28 2025, 9:56 PM
TheDJ subscribed.Oct 29 2025, 10:04 AM
sbassett added a comment.EditedOct 30 2025, 9:31 PM

I've just deployed an updated patch that should fix the issues discussed here. Please let me know if the issues persist.

lihaohong subscribed.Sun, Nov 16, 5:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits