Page MenuHomePhabricator

Special pages, actions and views whose messages don't escape text
Closed, InvalidPublic

Description

Nikerabbit made a partial list of the (main) places, in core and several extensions, containing messages which don't escape text. Each of those messages is a potential security risk.

== Core ==

=== Edit page/view page/protect page ===

/w/i.php?action=edit&title=Support    word-separator

== WikiEditor ==

wikieditor-toolbar-group-format
wikieditor-toolbar-group-insert
wikieditor-toolbar-help-*

== Semantic MediaWiki ==

2016-11 additions:
* smw_result_noresults
* smw_sbv_docu
* smw-ask-format-selection-help

/wiki/Special:Browse    smw_browse_article
/wiki/Special:Browse    smw_browse_go
/wiki/Special:Browse    categories
/wiki/Special:Browse    smw_isspecprop
/wiki/Special:Browse    isredirect

/wiki/Special:ExportRDF    smw_exportrdf_backlinks
/wiki/Special:ExportRDF    smw_exportrdf_docu
/wiki/Special:ExportRDF    smw_exportrdf_lastdate
/wiki/Special:ExportRDF    smw_exportrdf_recursive
/wiki/Special:ExportRDF    smw_exportrdf_submit

/wiki/Special:Properties    smw_isspecprop
/wiki/Special:Properties    smw_propertyhardlyused
/wiki/Special:Properties    smw_propertylackspage
/wiki/Special:Properties    smw_property_template_notype

/wiki/Special:SearchByProperty    smw_sbv_docu
/wiki/Special:SearchByProperty    smw_sbv_property
/wiki/Special:SearchByProperty    smw_sbv_submit
/wiki/Special:SearchByProperty    smw_sbv_value

/wiki/Special:SMWAdmin    smw_smwadmin_announce
/wiki/Special:SMWAdmin    smw_smwadmin_announcebutton
/wiki/Special:SMWAdmin    smw_smwadmin_announcedocu
/wiki/Special:SMWAdmin    smw_smwadmin_datarefresh
/wiki/Special:SMWAdmin    smw_smwadmin_datarefreshbutton
/wiki/Special:SMWAdmin    smw_smwadmin_datarefreshdocu
/wiki/Special:SMWAdmin    smw_smwadmin_db
/wiki/Special:SMWAdmin    smw_smwadmin_dbbutton
/wiki/Special:SMWAdmin    smw_smwadmin_dbdocu
/wiki/Special:SMWAdmin    smw_smwadmin_docu
/wiki/Special:SMWAdmin    smw_smwadmin_installfile
/wiki/Special:SMWAdmin    smw_smwadmin_mediazilla
/wiki/Special:SMWAdmin    smw_smwadmin_permissionswarn
/wiki/Special:SMWAdmin    smw_smwadmin_questions
/wiki/Special:SMWAdmin    smw_smwadmin_smwhomepage
/wiki/Special:SMWAdmin    smw_smwadmin_support
/wiki/Special:SMWAdmin    smw_smwadmin_supportdocu
/wiki/Special:SMWAdmin    smw-sp-admin-settings-button
/wiki/Special:SMWAdmin    smw-sp-admin-settings-title

/wiki/Special:Types/(Page|Text|Geographic_coordinates|Boolean)    smw_typearticlecount
/wiki/Special:Types/(Page|Text|Geographic_coordinates|Boolean)    smw_type_header

/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_article
/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_go
/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_no_incoming
/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_no_outgoing

== Lqt ==
/w/i.php?title=Thread:Support/About_MediaWiki:Randomincategory-nopages/ar&lqt_method=thread_history    august
/w/i.php?title=Thread:Support/About_MediaWiki:Randomincategory-nopages/ar&lqt_method=thread_history    december
/w/i.php?title=Thread:Support/About_MediaWiki:Randomincategory-nopages/ar&lqt_method=thread_history    september

== MobileFrontend ==

Unescaped message mobile-frontend-diffview-comma
Unescaped message mobile-frontend-editor-unavailable
Unescaped message mobile-frontend-footer-sitename
Unescaped message mobile-frontend-copyright (might be obsolete?)

== Unsorted ==

Double escaped message scribunto-common-nosuchmodule
Unescaped message ajaxlogin-create
Unescaped message articlefeedbackv5-special-count-total
Unescaped message bibmanagercreate
Unescaped message bibmanagerimport
Unescaped message browsesw
Unescaped message categorytree-empty-bullet
Unescaped message colon‐separator
Unescaped message gwtoolset-ensure-well-formed-xml
Unescaped message linkedwiki-specialsparqlquery_endpointsparql
Unescaped message linkedwiki-specialsparqlquery_sendquery
Unescaped message login
Unescaped message massaction-newtask (patch)
Unescaped message massaction-viewtask (patch)
Unescaped message pagedisqus-noscript
Unescaped message pagedisqus-title
Unescaped message pagetriage-welcome
Unescaped message scribunto‐limitreport‐memusage
Unescaped message scribunto‐limitreport‐memusage‐value
Unescaped message scribunto‐limitreport‐timeusage
Unescaped message scribunto‐limitreport‐timeusage‐value
Unescaped message size‐megabytes
Unescaped message tags-create-explanation
Unescaped message wikibase‐limitreport‐entities‐accessed
Unescaped message wikimedia-copyright
Unescaped message yourname
Unescaped message yourpassword

Details

SubjectRepoBranchLines +/-
mediawiki/coremaster+1 -1
mediawiki/extensions/TwnMainPagemaster+1 -1
mediawiki/extensions/InviteSignupmaster+7 -7
mediawiki/coremaster+1 -1
mediawiki/coremaster+4 -0
mediawiki/coremaster+1 -1
mediawiki/coremaster+1 -1
mediawiki/extensions/SemanticMediaWikimaster+22 -22
mediawiki/extensions/Nukemaster+7 -6
mediawiki/extensions/Gadgetsmaster+2 -1
mediawiki/coremaster+12 -6
mediawiki/coremaster+3 -3
mediawiki/coremaster+1 -3
mediawiki/coremaster+6 -4
mediawiki/coremaster+5 -4
mediawiki/coremaster+2 -2
mediawiki/coremaster+4 -4
mediawiki/extensions/SemanticFormsmaster+16 -12
mediawiki/coremaster+1 -1
mediawiki/extensions/SemanticMapsmaster+2 -2
mediawiki/extensions/AdminLinksmaster+17 -7
mediawiki/coremaster+16 -18
mediawiki/coremaster+1 -1
Show related patches Customize query in gerrit

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change 193562 merged by jenkins-bot:
Add release-notes for message escaping

https://gerrit.wikimedia.org/r/193562

Change 222252 had a related patch set uploaded (by Nikerabbit):
Escape messages

https://gerrit.wikimedia.org/r/222252

Krinkle renamed this task from Special pages, actions and views whose messages don't escape HTML to Special pages, actions and views whose messages don't escape text.Jul 9 2015, 12:05 PM
Krinkle updated the task description. (Show Details)

@Nikerabbit or @Nemo_bis - thank you for this comprehensive list. I'm confused about one item in the "SMW/SF" section, though - the very first one:

/w/i.php?title=User:Nike&action=formedit summary

The 'summary' message is called in SF's /includes/SF_FormUtils.php, and there the two relevant lines are:

$label = wfMessage( 'summary' )->text();

Html::element( 'label', array( 'for' => 'wpSummary' ), $label ) );

I would think that the element() call does the necessary escaping; is that not true?

Maybe it is already fixed but nobody updated the bug? Currently on that URL I only see this:
Notice: Unescaped message sf-formedit-donotuseform in /www/dev.translatewiki.net/docroot/w/includes/OutputPage.php on line 2332

And
/wiki/Special:FormEdit/Support/User:Nike sf_formedit_formwarning

Change 224053 had a related patch set uploaded (by Nikerabbit):
Escape twnmp-bannerwho

https://gerrit.wikimedia.org/r/224053

Change 224053 merged by jenkins-bot:
Escape twnmp-bannerwho

https://gerrit.wikimedia.org/r/224053

@Nikerabbit - did you forgot to remove "/wiki/Special:Forms sf_forms_docu" from the list? It's the last Semantic Forms message in there; and I'm pretty sure it's now escaped.

I renamed the "SMW/SF" section to "Semantic MediaWiki".

So, I:

  • checked out https://gerrit.wikimedia.org/r/#/c/203299/ and set $wgDebugMessageEscaping = true; ;
  • enabled a bunch of extensions (P2014) on a web-inaccessible mediawiki-vagrant;
  • assigned all rights to unregistered users with foreach( User::getAllRights() as $right ) { $wgGroupPermissions['*'][$right] = true; };
  • attempted to open all special pages with curl http://localhost:8080/wiki/Special:SpecialPages > /tmp/SpecialPages.html; wget -O /dev/null -i /tmp/SpecialPages.html --force-html --base=http://localhost:8080/

I'll add the messages I get logged.

Restricted Application added a subscriber: Steinsplitter. · View Herald Transcript

Can we add this to GCI? This was the description last year:

<p><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">Escaping HTML is the first rule</a> for improving security against <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">cross-site scripting</a> attacks, which have been the most common cybersecurity threat for years, causing billions dollars of damage. In this task, you will improve the security of MediaWiki by reducing its attack surface!</p>
<p>MediaWiki provides the <a href="https://www.mediawiki.org/wiki/Manual:Html.php">Html class</a> and <a href="https://www.mediawiki.org/wiki/Manual:Messages_API#Output_modes_and_escaping">i18n built-in escaping</a>, but some areas of the code don't use them correctly (or at all). You will help fixing them.</p>
<p>Pick one special page listed <a href="https://phabricator.wikimedia.org/T85864">in the issue tracker</a>; clone the code and check all the usages of the message keys listed next to its name; fix them and submit your patch in gerrit. The header tells the name of the repository; <a href="https://gerrit.wikimedia.org/r/#/q/topic:esc+owner:Nikerabbit,n,z">examples are available</a> of how your patches should look like.</p>

Can we add this to GCI?

I'd guess so, but it would require mentor(s)...

Until January 18th I cannot guarantee fast responds.

Jdforrester-WMF lowered the priority of this task from Medium to Lowest.Aug 4 2016, 11:33 PM
Jdforrester-WMF subscribed.

LiquidThreads has been replaced by StructuredDiscussions on all Wikimedia production wikis (except one, which will be done soon). It is no longer under active development or maintenance, so I'm re-classifying all open LQT tasks as "Lowest" priority.

Nemo_bis raised the priority of this task from Lowest to Medium.Aug 5 2016, 7:32 AM

Change 343117 had a related patch set (by Matěj Suchánek) published:
Escape text in Linker::specialLink()

https://gerrit.wikimedia.org/r/343117

Change 343117 merged by jenkins-bot:
[mediawiki/core@master] Escape text in Linker::specialLink()

https://gerrit.wikimedia.org/r/343117

Not sure why these tags were added. It does not help me to see this open task on the board if there is nothing actionable.

How about we close this task? The list given is likely outdated already.

Peachey88 subscribed.

Closing per @Nikerabbit

If the list is ever refreshed, Individual tasks can be filed for each extension which will make the task a lot more manageable.

Jdforrester-WMF changed the task status from Resolved to Invalid.Oct 4 2021, 6:15 PM

That would be "Invalid" or "Declined", not "Resolved" then. :-)