VisualEditor: Broken DivX browser plugin causes "myEventWatcherDiv" to be injected into the page
Closed, ResolvedPublic

Description

Seeing this more often now with VE and think it may be a couple different issues (not all on our side) but want to see what we can do to stop it and or lessen impact. This is currently being added to the security queue because I'm a bit concerned about some of the symptoms and worry it could be an injection vulnerability (see below). If we rule out a security concern I'm obviously happy with it being moved.

Editors are making a normal edit and div's are being inserted like

<div id="myEventWatcherDiv" style="display:none;"></div>

often at the start and end of the page.

Googling around it seems they may be inserted by a common 3rd party plugin (divX?) but it is in no way clear. It also seems to be interacting weirdly with VE because it isn't only being inserted it's inserting WITHOUT <nowiki> tags which is what you'd expect if someone put a div in (see https://en.wikipedia.org/w/index.php?title=User:Jalexander/sandbox&diff=564465081&oldid=553572859 ). Could it be being injected somehow around VE and/or parser?

Examples:
https://en.wikipedia.org/w/index.php?title=Spank!_The_Fifty_Shades_Parody&diff=prev&oldid=564448990
http://en.wikipedia.org/w/index.php?title=Kendra_Morris&diff=prev&oldid=564426900


Version: unspecified
Severity: minor
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=51521

bzimport set Reference to bz51423.
Jalexander created this task.Via LegacyJul 16 2013, 5:55 AM
csteipp added a comment.Via ConduitJul 16 2013, 10:22 PM

Hi James, the google consensus seems to be that a DivX plugin is inserting that.

http://padawan.info/en/2011/03/wtf-is-this-myeventwatcherdiv-doing-in-my-web.html

I'm guessing that VE's interface suddenly looks like something the plugin was expecting to use in the browser, and so it silently adds the div.

We could add an abusefilter rule to block those edits, but that seems a little drastic.

Jalexander added a comment.Via ConduitJul 16 2013, 10:27 PM

yeah, that seems to be the consensus I could find too (which is very very weird... because I can't for the life of me find a 'legitimate' reason it should insert that into any page it can edit.. oh well certainly not the weirdest plugin BS I've seen).

Actually I don't think that's very drastic to do, the community almost certainly would agree and I'd pass it off to them (though they'll likely blame us for it which is never fun). It's certainly a type of edit we really don't want but more importantly I'm confused about how it's getting inserted and avoiding the normal VE/parser work flow which should <nowiki> it (instead of actually inserting it in as a div like it is now).

Jdforrester-WMF added a comment.Via ConduitJul 16 2013, 10:30 PM

(In reply to comment #1)

Hi James, the google consensus seems to be that a DivX plugin is inserting
that.

http://padawan.info/en/2011/03/wtf-is-this-myeventwatcherdiv-doing-in-my-web.
html

I'm guessing that VE's interface suddenly looks like something the plugin was
expecting to use in the browser, and so it silently adds the div.

We could add an abusefilter rule to block those edits, but that seems a
little drastic.

Ideally we'd want a global AbuseFilter rule that just silently dropped the content from the edit, but that's not a feature AF currently does. :-)

Blocking is a bit strong, though possibly likely to happen from the community if we just warn users and they ignore. The only fix (other than getting the upstream plugin crap fixed, which seems unlikely) is to do the auto-drop in VE, which is icky too.

Jdforrester-WMF added a comment.Via ConduitJul 16 2013, 10:31 PM

(In reply to comment #2)

I'm confused about how it's getting inserted and
avoiding the normal VE/parser work flow which should <nowiki> it (instead of
actually inserting it in as a div like it is now).

It looks like it's bypassing the browser's events model and just inserting into the DOM, hence the issue. JS like VE isn't able to notice things outside the JS events model, sadly.

Catrope added a comment.Via ConduitJul 16 2013, 10:33 PM

(In reply to comment #2)

It's certainly a type of edit we really don't
want but more importantly I'm confused about how it's getting inserted and
avoiding the normal VE/parser work flow which should <nowiki> it (instead of
actually inserting it in as a div like it is now).

It's possible that the plugin inserts it in all <iframe>s. We use <iframe>s internally for encapsulating HTML documents.

csteipp added a comment.Via ConduitJul 16 2013, 10:39 PM

Making this public since I don't see this having any security impact. Then the community can also give input into how they want to see it handled.

Jalexander added a comment.Via ConduitJul 16 2013, 10:40 PM

(In reply to comment #6)

Making this public since I don't see this having any security impact. Then
the
community can also give input into how they want to see it handled.

Thanks Chris

Inez added a comment.Via ConduitJul 27 2013, 10:31 PM

As a workaround for now we could make VE remove those divs from the HTMLDOM that it is sending to MW API for serializing. @James: Should we do it?

Jdforrester-WMF added a comment.Via ConduitJul 31 2013, 3:59 PM

(In reply to comment #8)

As a workaround for now we could make VE remove those divs from the HTMLDOM
that it is sending to MW API for serializing. @James: Should we do it?

You mean, have a blacklist of items to just silently remove on save? Could work as a quick hack.

Inez added a comment.Via ConduitJul 31 2013, 4:09 PM

Silently remove on save. Hacking blacklist will prevent people from saving and many of them are not technical enough to understand why - bad bad user experience.

Elitre added a comment.Via ConduitAug 21 2013, 9:13 PM

I am also curious to know why it only happens to anonymous editors - at least, all the occurrences I have seen so far.

Inez added a comment.Via ConduitAug 21 2013, 9:17 PM

@James: Should we go for silent remove on safe? Also we can start tracking it with information about logged in vs. logged out user.

SalixAlba added a comment.Via ConduitSep 26 2013, 8:37 AM

Detected and warning issued by the abuse filter http://en.wikipedia.org/wiki/Special:AbuseFilter/485

Jdforrester-WMF added a comment.Via ConduitSep 26 2013, 4:57 PM

(In reply to comment #16)

Sorry meant http://en.wikipedia.org/wiki/Special:AbuseFilter/345

Thanks - though we should probably silently remove on save inside VisualEditor, like Inez suggests.

Krenair added a comment.Via ConduitAug 7 2014, 9:23 AM

Has anyone here managed to actually get this to happen in their browser yet? James tried the DivX plugin in Safari on his Mac and couldn't get it to insert the bad content.

gerritbot added a comment.Via ConduitSep 30 2014, 9:39 PM

Change 163961 had a related patch set uploaded by Alex Monk:
Remove certain blacklisted elements when getting HTML from document

https://gerrit.wikimedia.org/r/163961

gerritbot added a comment.Via ConduitSep 30 2014, 9:53 PM

Change 163961 merged by jenkins-bot:
Remove certain blacklisted elements when getting HTML from document

https://gerrit.wikimedia.org/r/163961

Krenair added a comment.Via ConduitOct 16 2014, 6:56 PM

Still seems to be happening, e.g. https://fr.wikipedia.org/?diff=108255165

Jdforrester-WMF moved this task to Backlog on the VisualEditor workboard.Via WebNov 24 2014, 4:24 PM
Jdforrester-WMF set Security to None.
Aklapper added a subscriber: Aklapper.Via WebFeb 11 2015, 6:03 PM

This task has VE-deploy-2014-10-02 but is still open. Should this be retargetted?

csteipp added a project: Security.Via WebThu, Mar 26, 8:39 PM
csteipp removed a project: Security.Via WebThu, Mar 26, 8:43 PM
Jdforrester-WMF closed this task as "Resolved".Via WebThu, Mar 26, 8:44 PM
Jdforrester-WMF claimed this task.

This task has VE-deploy-2014-10-02 but is still open. Should this be retargetted?

No.

csteipp reopened this task as "Open".Via WebThu, Mar 26, 8:45 PM
csteipp placed this task up for grabs.
Jdforrester-WMF closed this task as "Resolved".Via WebThu, Mar 26, 8:50 PM
Jdforrester-WMF claimed this task.

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.