Template parameters not substituted in HTML attributes [regression]
Closed, ResolvedPublic

Assigned To
Unbreak Now!
CesarB, wikibugs-l

Author: bastique.bz


Up until yesterday, we were able to position dots on maps using the template
field "pin_coords", which placed a "left: #; top: #" code into the DIV tag
for the tiny town graphic. Suddenly, on 6/3/05, this field no longer works.

We have already positioned quite a few towns using this now-disabled feature.
This feature also reduces the number of graphics; 2 for all towns in a single
county rather than one for each one. This ability should be restored.

Version: 1.4.x
Severity: normal
URL: http://en.wikipedia.org/wiki/Template:Ie_citytown_infobox

bzimport added a project: MediaWiki-Templates.Via ConduitNov 21 2014, 8:35 PM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz2309.
bzimport created this task.Via LegacyJun 3 2005, 3:16 PM
bzimport added a comment.Via ConduitJun 3 2005, 3:17 PM

bastique.bz wrote:

Example: http://en.wikipedia.org/wiki/Castlebar

brion added a comment.Via ConduitJun 4 2005, 12:31 AM

This is caused by the fix to bug 2304, which is a major security vulnerability.

Allowing validated plaintext template/parameter substitutions in HTML attribute values with our
current parser architecture is theoretically possible, but will take some work to ensure that it
remains safe.

brion added a comment.Via ConduitJun 4 2005, 11:23 PM

Also broken by this:

I've done some work on this bug but need to check it over a bit to make sure I haven't reintroduced a vulnerability,
particularly on the 1.4 backport (where the HTML attribute validation code is pretty crappy). Will try to finish it up

bzimport added a comment.Via ConduitJun 6 2005, 1:43 AM

lowzl wrote:

I recently upgraded my MediaWiki installation to 1.4.5 - we've experienced this
problem on precisely one template at the moment. I suppose it is because no one
has edited the other ones using this technique yet.

Curiously, {{subst:xyz}} works, but {{xyz}} uses the inclusion guard.

brion added a comment.Via ConduitJun 6 2005, 1:46 AM

Fix applied to CVS HEAD. Still working on REL1_4.

brion added a comment.Via ConduitJun 6 2005, 4:59 AM

Fix applied to REL1_4 as well (Parser.php).

bzimport added a comment.Via ConduitJun 8 2005, 3:13 PM

lowzl wrote:

Is there a specific patch we can apply now, or will there be a new release of
1.4 soon?

brion added a comment.Via ConduitJun 8 2005, 11:45 PM

I can't release a 1.4.6 just now as there's an issue with upgrades and an unnecessary
but performance-enhancing index.

Here's the change for REL1_4:

bzimport added a comment.Via ConduitJul 7 2005, 9:21 PM

zigger wrote:

*** Bug 2743 has been marked as a duplicate of this bug. ***

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.