Page MenuHomePhabricator
Create Task
Maniphest T91067

Port wikibase templates to Mustache
Open, MediumPublic
Actions

Description

Context

Wikibase currently uses a homegrown templating system to assemble the user interface HTML both in PHP and in JS. In this templating system (view/src/Template/ + view/resources/wikibase/templates.js), the caller is responsible for escaping any template arguments; forgetting to escape an argument can result in a security vulnerability (e.g. T339111: CVE-2023-37302: Style injection into badges on Wikidata due to unescaped quotes. Escape messages in TermsListView).

At some later time, MediaWiki core gained support for mustache-based templates, also both in PHP and JS. This system escapes template arguments by default; parameters that should not be escaped are marked in the template and can easily be searched for and audited (git grep -F '{{{' '*.mustache'). Template arguments are also passed by name in this system ({{title}}) rather than by number as in Wikibase’s system ($2).

Main Objectives

The objective of this task is to migrate all uses of the old templating system in Wikibase to the new system, and eventually remove the old system from Wikibase altogether. This will make the code more readable, more similar to other MediaWiki extensions, and help to prevent future security vulnerabilities. It will also probably reduce the coupling within Wikibase (since the bindings to Wikibase’s template system will be gone).

Considerations

Since we use the same templates in PHP and JS, and the template syntax will change, care must be taken to migrate PHP and JS at the same time. That said, it might be possible to split the migration by template (i.e., do the PHP+JS migration of wikibase-statementgrouplistview first, then the PHP+JS migration of wikibase-entitytermsview, etc.).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Decouple Template from Messagemediawiki/extensions/Wikibasemaster+19 -47
Customize query in gerrit

Related Objects

Event Timeline

daniel created this task.Feb 27 2015, 2:16 PM
daniel raised the priority of this task from to Needs Triage.
daniel updated the task description. (Show Details)
daniel added a project: Wikidata.
daniel subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 27 2015, 2:16 PM
Jdouglas subscribed.Feb 27 2015, 5:01 PM
adrianheine mentioned this in T43813: Make a separate extension out of the template engine.Mar 10 2015, 11:53 AM
Lydia_Pintscher triaged this task as Medium priority.Mar 16 2015, 9:34 AM
Lydia_Pintscher set Security to None.
Lydia_Pintscher moved this task from incoming to needs discussion or investigation on the Wikidata board.
Lydia_Pintscher added subscribers: adrianheine, thiemowmde.
Ricordisamoa subscribed.Aug 23 2015, 5:08 PM
Aleksey_WMDE subscribed.Apr 27 2017, 2:36 PM
WMDE-leszek subscribed.Apr 27 2017, 3:12 PM
Lucas_Werkmeister_WMDE added projects: [DEPRECATED] wdwb-tech, Sustainability (Incident Followup).Jul 3 2023, 9:50 AM
Lucas_Werkmeister_WMDE subscribed.

Wikibase’s homegrown template system has recently caused several security vulnerabilities (primarily T339111: CVE-2023-37302: Style injection into badges on Wikidata due to unescaped quotes; Escape messages in TermsListView was just merged on master since it was found before the vulnerable code was deployed anywhere). I suggest we prioritize this migration.

Lucas_Werkmeister_WMDE mentioned this in T339111: CVE-2023-37302: Style injection into badges on Wikidata due to unescaped quotes.Jul 3 2023, 9:50 AM
Lucas_Werkmeister_WMDE mentioned this in T78559: [Task] Replace mw.wbTemplate with mw.template.render.Jul 3 2023, 9:54 AM
gerritbot added a comment.Jul 3 2023, 9:57 AM

Change 935001 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@master] Decouple Template from Message

https://gerrit.wikimedia.org/r/935001

gerritbot added a project: Patch-For-Review.Jul 3 2023, 9:57 AM
Lucas_Werkmeister_WMDE added a comment.EditedJul 3 2023, 9:58 AM

(The above change doesn’t implement this task yet, it just simplifies the existing code in preparation.)

Michael subscribed.Jul 3 2023, 3:22 PM
Lucas_Werkmeister_WMDE added a comment.Jul 4 2023, 1:11 PM

The current Wikibase code also has a regex in JS which eslint now detects as being unsafe (see discussion). We’re not 100% sure if it’s actually exploitable in practice or not, but migrating to mustache would also resolve that issue.

gerritbot added a comment.Jul 4 2023, 2:09 PM

Change 935001 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] Decouple Template from Message

https://gerrit.wikimedia.org/r/935001

Maintenance_bot removed a project: Patch-For-Review.Jul 4 2023, 2:11 PM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.17; 2023-07-11).Jul 4 2023, 3:00 PM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)Jul 18 2023, 2:48 PM
Lucas_Werkmeister_WMDE removed subscribers: Aleksey_WMDE, Jdouglas.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits