Page MenuHomePhabricator
Create Task
Maniphest T411151

CommentParser::doWikiLinks should be able to operate safely on safe HTML
Open, MediumPublicSecurity
Actions

Description

Filing as a security task since none of the three other tasks are public yet.

CommentParser::doWikiLinks currently uses a regex pattern to find and replace wikilink syntax with HTML links. Because of this, it is/was possible to perform XSS in three cases by getting CommentParser::doSectionLinks to return HTML that would be safe on its own, but is not safe for usage in doWikiLinks:

In the last two cases, the "unsafe" HTML was produced by the MW parser. As a developer without knowledge of the internal working of CommentParser, I would probably expect parsed HTML to be safe for usage in any HTML sink, but $comment in the FormatAutocomments hook (or specifically doWikiLinks) is not a safe HTML sink.
To reduce the likelihood of similar vulnerabilities being introduced in the future, I think that CommentParser::doWikiLinks should be hardened so it can operate on any safe HTML string without allowing for XSS. This would have prevented all three aforementioned vulnerabilities.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

SomeRandomDeveloper created this task.Nov 26 2025, 11:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2025, 11:57 PM
Reedy added a project: MediaWiki-Parser.Nov 27 2025, 10:26 AM
sbassett edited projects, added SecTeam-Processed, Content-Transform-Team; removed Security-Team.Dec 2 2025, 3:40 PM
sbassett subscribed.

With the three issues mentioned above being fixed, individually, leaving this to Content-Transform-Team et al as a future code-hardening effort.

sbassett added subscribers: SLopes-WMF, cscott, ssastry.Dec 2 2025, 4:19 PM
MSantos edited projects, added Content-Transform-Team (Work In Progress), Essential-Work; removed Content-Transform-Team.Dec 4 2025, 3:13 PM
MSantos moved this task from Backlog to Needs Investigation on the Content-Transform-Team (Work In Progress) board.
SomeRandomDeveloper added a comment.Jan 9 2026, 1:16 PM

All three vulnerabilities are now publicly fixed and only the core task isn't public yet. @sbassett could this one be made public?

sbassett added a comment.Jan 9 2026, 4:15 PM
In T411151#11507400, @SomeRandomDeveloper wrote:

@sbassett could this one be made public?

Yes.

sbassett closed this task as Resolved.Jan 9 2026, 4:15 PM
sbassett triaged this task as Medium priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
SomeRandomDeveloper reopened this task as Open.Jan 9 2026, 4:24 PM

(reopening since this is a code hardening task and not resolved yet)

Bugreporter2 awarded a token.Jan 14 2026, 3:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits