thumb.php outputs wikitext message as raw html
Closed, ResolvedPublic

Description

https://en.wikipedia.org/w/thumb.php outputs a fairly long interface message (customised by enwiki admins) that looks like it is intended for Special:BadTitle. It outputs this, already confusing message, as raw html instead of text or wikitext.

Right now this is causing the browser to parse <code> and <nowiki>. It could trivially include <script> as well.

Krinkle created this task.Dec 4 2014, 3:08 AM
Krinkle added a project: Security.
Krinkle changed the visibility from "Public (No Login Required)" to "Security (Project)".
Krinkle changed the edit policy from "All Users" to "Security (Project)".
Krinkle changed Security from none to Software security bug.
Krinkle added a subscriber: Krinkle.
Restricted Application changed the visibility from "Security (Project)" to "Custom Policy". · View Herald TranscriptDec 4 2014, 3:08 AM
Restricted Application changed the edit policy from "Security (Project)" to "Custom Policy". · View Herald Transcript
Krinkle changed the title from "thumb.php outputs raw wikitext as html" to "thumb.php outputs wikitext message as raw html".Dec 4 2014, 3:11 AM
Krinkle edited subscribers, added: Catrope, csteipp; removed: Aklapper.
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 3:11 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Reedy added a subscriber: aaron.Dec 4 2014, 2:40 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 2:40 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp triaged this task as "Normal" priority.Dec 4 2014, 9:59 PM

Similar to the general issue of T2212. Since only admins can edit the message, it's not horrible, but something we should fix.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 9:59 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 10:09 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Thanks @Legoktm, looks good to me. I'll get this deployed.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 11:27 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a subscriber: Mglaser.Dec 8 2014, 7:22 PM

Deployed to the cluster.

@Mglaser, this should get added to the next release.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:22 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Proposed backports. All tested: I added

<script>alert("bad");<script>

to MediaWiki:Badtitletext and called thumb.php without any parameter. Without the patch, the alert showed up. After the patch was applied, the script was rendered as text instead.

The original patch applies nicely to REL1_24.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 15 2014, 2:40 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Early access for Wikia and Gamepedia

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 10:12 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:25 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:25 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:26 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:26 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 7:24 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 19 2014, 12:35 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp closed this task as "Resolved".Jan 23 2015, 6:37 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.