Template parameters not substituted in HTML attributes [regression]
Closed, ResolvedPublic


Author: bastique.bz


Up until yesterday, we were able to position dots on maps using the template
field "pin_coords", which placed a "left: #; top: #" code into the DIV tag
for the tiny town graphic. Suddenly, on 6/3/05, this field no longer works.

We have already positioned quite a few towns using this now-disabled feature.
This feature also reduces the number of graphics; 2 for all towns in a single
county rather than one for each one. This ability should be restored.

Version: 1.4.x
Severity: normal
URL: http://en.wikipedia.org/wiki/Template:Ie_citytown_infobox


bzimport set Reference to bz2309.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jun 3 2005, 3:16 PM
brion added a comment.Jun 4 2005, 12:31 AM

This is caused by the fix to bug 2304, which is a major security vulnerability.

Allowing validated plaintext template/parameter substitutions in HTML attribute values with our
current parser architecture is theoretically possible, but will take some work to ensure that it
remains safe.

brion added a comment.Jun 4 2005, 11:23 PM

Also broken by this:

I've done some work on this bug but need to check it over a bit to make sure I haven't reintroduced a vulnerability,
particularly on the 1.4 backport (where the HTML attribute validation code is pretty crappy). Will try to finish it up

lowzl wrote:

I recently upgraded my MediaWiki installation to 1.4.5 - we've experienced this
problem on precisely one template at the moment. I suppose it is because no one
has edited the other ones using this technique yet.

Curiously, {{subst:xyz}} works, but {{xyz}} uses the inclusion guard.

brion added a comment.Jun 6 2005, 1:46 AM

Fix applied to CVS HEAD. Still working on REL1_4.

brion added a comment.Jun 6 2005, 4:59 AM

Fix applied to REL1_4 as well (Parser.php).

lowzl wrote:

Is there a specific patch we can apply now, or will there be a new release of
1.4 soon?

brion added a comment.Jun 8 2005, 11:45 PM

I can't release a 1.4.6 just now as there's an issue with upgrades and an unnecessary
but performance-enhancing index.

Here's the change for REL1_4:

zigger wrote:

*** Bug 2743 has been marked as a duplicate of this bug. ***

Add Comment