Page MenuHomePhabricator
Create Task
Maniphest T68199

The output of wfMessage( 'i-dont-exist' )->text() should not have its entities html encoded
Closed, DeclinedPublic
Actions

Description

wfMessage( 'i<dont>exist' ) has a two possible outputs depending on the format utilized to output the content, either:

plain: <i&lt;dont&gt;exist>
text/escaped/parse: &lt;i&lt;dont&gt;exist&gt;

Note that i'm not encouraging special characters in i18n keys, merely showing what the current implementation does.

The method documentation for Message::text() states that it is unescaped message text. Documentation for Message::plain() states that it is unescaped untransformed text. Based on the documentation my inference is that text() and plain() should have the same output, with {{FOO}} messages transformed only in the text method.

One option for escaping is to escape as close to the output as possible. In an API response consumed by client-side javascript the strings within the JSON should be plain text. This plain text is then escaped for output in the templating layer of the client side javascript. Using this setup mistyping an i18n key looks like you have not only bad i18n key but also a double-encoding issue. Upon further investigation the double-encoding only happens with the non-existent key.

I'm proposing the output should be:

plain/text: <i<dont>exist>
escaped/parse: &lt;i&lt;dont&gt;exist&gt;

Version: unspecified
Severity: normal

Details

Reference
bz66199

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:17 AM
bzimport added a project: MediaWiki-Internationalization.
bzimport set Reference to bz66199.
bzimport added a subscriber: Unknown Object (MLST).
EBernhardson created this task.Jun 5 2014, 4:20 PM
gerritbot added a comment.Jun 5 2014, 4:22 PM

Change 137458 had a related patch set uploaded by EBernhardson:
Correct output of wfMessage( 'non-existent-msg' )->text()

https://gerrit.wikimedia.org/r/137458

Krinkle added a comment.Jun 7 2014, 8:42 AM
  • Bug 62047 has been marked as a duplicate of this bug. ***
gerritbot added a comment.Sep 23 2014, 9:15 PM

Change 137458 merged by jenkins-bot:
Message: Correct output of wfMessage( 'non-existent-msg' )->text()

https://gerrit.wikimedia.org/r/137458

Bawolff subscribed.Jun 29 2016, 10:18 PM

I'm not really a fan of this. If message is missing, key is probably user controlled. Occasionally people use the wrong escaping type for messages. Being able to get an XSS if you can edit a MediaWiki namespace page is a lot better than just if you can somehow convince the message name to be "script>foo();</script".

I have an alternate proposal at https://gerrit.wikimedia.org/r/#/c/296665/

Nemo_bis changed the task status from Resolved to Declined.Jul 2 2016, 6:07 PM
Nemo_bis assigned this task to Bawolff.
Nemo_bis subscribed.

Patch was merged; properly closing this.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits