Template parameters not substituted in HTML attributes [regression]
Closed, ResolvedPublic

Description

Author: bastique.bz

Description:
http://en.wikipedia.org/wiki/Tralee

Up until yesterday, we were able to position dots on maps using the template
field "pin_coords", which placed a "left: #; top: #" code into the DIV tag
for the tiny town graphic. Suddenly, on 6/3/05, this field no longer works.

We have already positioned quite a few towns using this now-disabled feature.
This feature also reduces the number of graphics; 2 for all towns in a single
county rather than one for each one. This ability should be restored.


Version: 1.4.x
Severity: normal
URL: http://en.wikipedia.org/wiki/Template:Ie_citytown_infobox

bzimport added a project: MediaWiki-Templates.Via ConduitNov 21 2014, 8:35 PM
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz2309.
bzimport created this task.Via LegacyJun 3 2005, 3:16 PM
bzimport added a comment.Via ConduitJun 3 2005, 3:17 PM

bastique.bz wrote:

Example: http://en.wikipedia.org/wiki/Castlebar

brion added a comment.Via ConduitJun 4 2005, 12:31 AM

This is caused by the fix to bug 2304, which is a major security vulnerability.

Allowing validated plaintext template/parameter substitutions in HTML attribute values with our
current parser architecture is theoretically possible, but will take some work to ensure that it
remains safe.

brion added a comment.Via ConduitJun 4 2005, 11:23 PM

Also broken by this:
http://en.wikipedia.org/wiki/Template:Ref
http://en.wikipedia.org/wiki/Template:Note

I've done some work on this bug but need to check it over a bit to make sure I haven't reintroduced a vulnerability,
particularly on the 1.4 backport (where the HTML attribute validation code is pretty crappy). Will try to finish it up
tonight.

bzimport added a comment.Via ConduitJun 6 2005, 1:43 AM

lowzl wrote:

I recently upgraded my MediaWiki installation to 1.4.5 - we've experienced this
problem on precisely one template at the moment. I suppose it is because no one
has edited the other ones using this technique yet.

Curiously, {{subst:xyz}} works, but {{xyz}} uses the inclusion guard.

brion added a comment.Via ConduitJun 6 2005, 1:46 AM

Fix applied to CVS HEAD. Still working on REL1_4.

brion added a comment.Via ConduitJun 6 2005, 4:59 AM

Fix applied to REL1_4 as well (Parser.php).

bzimport added a comment.Via ConduitJun 8 2005, 3:13 PM

lowzl wrote:

Is there a specific patch we can apply now, or will there be a new release of
1.4 soon?

brion added a comment.Via ConduitJun 8 2005, 11:45 PM

I can't release a 1.4.6 just now as there's an issue with upgrades and an unnecessary
but performance-enhancing index.

Here's the change for REL1_4:
http://cvs.sourceforge.net/viewcvs.py/wikipedia/phase3/includes/Parser.php?
r1=1.357.2.49&r2=1.357.2.50&diff_format=u

bzimport added a comment.Via ConduitJul 7 2005, 9:21 PM

zigger wrote:

*** Bug 2743 has been marked as a duplicate of this bug. ***

Add Comment