In T212071#8274383, @Legoktm wrote:
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Sep 27 2023
Sep 27 2023
MSGJ awarded T71441: Feature request: add detection for disambiguation pages to Scribunto a Evil Spooky Haunted Tree token.
Oct 30 2022
Oct 30 2022
Feb 11 2022
Feb 11 2022
MrStradivarius closed T301564: DisamAssist user script: lack of escaping in page title link as Resolved.
MrStradivarius added a comment to T301564: DisamAssist user script: lack of escaping in page title link.
I have now applied the fix to all of the above pages, so I am closing this issue.
MrStradivarius added a comment to T301564: DisamAssist user script: lack of escaping in page title link.
I found the following affected pages from global search:
Feb 7 2022
Feb 7 2022
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
Ok, I have now patched all affected scripts, so I'm closing this task. Thanks everyone for your help.
Feb 6 2022
Feb 6 2022
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
I found a problem with T300743-enwiki2.patch - disabling and uninstallation was broken for imports containing escaped characters, as they were searching for the unescaped script name instead of the escaped script name. I've fixed this in T300743-enwiki3.patch below. I'm confident that the patch is working properly now, so if everything looks good I will go ahead and roll it out. @Enterprisey, does this look OK to you?
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
Here's the new patch:
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
In T300743#7686298, @MrStradivarius wrote:However, if you then normalise the import for that script, the gadget will then parse it from common.js without decoding it, and then double encode it when it saves the page, so you will get foo\\\'bar.js.
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
In T300743#7677493, @Enterprisey wrote:I believe the line terminator characters are not allowed to be in MediaWiki page titles, so if it's not too much extra effort I'd suggest rejecting them outright (crashing or alert()'ing would be fine, the installation links would have to be severely broken anyway).
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
I've tested the patch, and there is a problem with it - it breaks round tripping between the common.js and the gadget. If a script name contains a single quote like foo'bar.js, when saving it to common.js it will be escaped as foo\'bar.js, which is correct. However, if you then normalise the import for that script, the gadget will then parse it from common.js without decoding it, and then double encode it when it saves the page, so you will get foo\\\'bar.js. This will break the import, as that is a different MediaWiki page title than the original script name.
Feb 4 2022
Feb 4 2022
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
I've created a patch for the enwiki gadget. @Enterprisey: how does this look to you?
I haven't tested the patch locally yet - I'll do that after work.
Feb 3 2022
Feb 3 2022
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
Thanks for making the patch. I had a look at it, and I think that the URL needs to be escaped differently, with URL encoding instead of JS string escaping. In fact, there are four different contexts here, that each require different escaping:
Feb 2 2022
Feb 2 2022
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
I have global interface admin rights now, so I can patch all of the affected wikis. It will take me a little while to get the patches ready, though, and it's too late here for me to do it today.
MrStradivarius added a comment to T300743: XSS vulnerability in the script-installer gadget: improper escaping of page names results in users installing untrusted code into their common.js page.
I'm finding the following instances of the gadget using this global search query:
Jan 12 2022
Jan 12 2022
In T29766#7613238, @SD0001 wrote:By default, I think gadgets should be treated as safe.
Jan 9 2022
Jan 9 2022
MrStradivarius closed T298481: XSS vulnerability in the FormWizard default gadget on enwiki as Resolved.
MrStradivarius added a comment to T298481: XSS vulnerability in the FormWizard default gadget on enwiki .
I had a look with the global search tool and couldn't find any more instances, so I think we're now actually safe to close this issue. Feel free to reopen if you find any others.
MrStradivarius added a comment to T298481: XSS vulnerability in the FormWizard default gadget on enwiki .
@Urbanecm Yes, those all look good to me. Thank you!
Jan 7 2022
Jan 7 2022
MrStradivarius added a comment to T298481: XSS vulnerability in the FormWizard default gadget on enwiki .
Jan 6 2022
Jan 6 2022
MrStradivarius closed T298481: XSS vulnerability in the FormWizard default gadget on enwiki as Resolved.
MrStradivarius added a comment to T298481: XSS vulnerability in the FormWizard default gadget on enwiki .
I think I applied all of them correctly -- can you check that please?
Jan 5 2022
Jan 5 2022
MrStradivarius added a comment to T298481: XSS vulnerability in the FormWizard default gadget on enwiki .
@Urbanecm I made patches for each of the listed wikis. If you could apply them, it would be much appreciated.
Jan 4 2022
Jan 4 2022
MrStradivarius added a comment to T298481: XSS vulnerability in the FormWizard default gadget on enwiki .
Hm, it might be best if I ask for global interface admin permissions - then I can just update them all myself. I had those permissions previously for a multi-wiki maintenance task, so hopefully I will be able to get them again.
Jan 3 2022
Jan 3 2022
Nov 30 2020
Nov 30 2020
• RoundNutz78 awarded T99335: Sandbox link should follow redirects a 100 token.
Mar 10 2018
Mar 10 2018
MrStradivarius added a comment to T32750: [Epic] Ping/notify user when username used in an edit summary.
Will user subpages be included? The first of the acceptance criteria above is not clear on this point.
Feb 14 2018
Feb 14 2018
Liuxinyu970226 awarded T114384: Standardise procedures for deprecating public-facing code a Love token.
Feb 1 2018
Feb 1 2018
Dec 22 2016
Dec 22 2016
MrStradivarius renamed T153933: OOjs-ui TextInputWidget broken if a label is supplied with labelPosition=before from OOjs-ui textInputWidget broken if a label is supplied with labelPosition=before to OOjs-ui TextInputWidget broken if a label is supplied with labelPosition=before.
MrStradivarius updated the task description for T153933: OOjs-ui TextInputWidget broken if a label is supplied with labelPosition=before.
Dec 19 2016
Dec 19 2016
Dec 5 2016
Dec 5 2016
MrStradivarius added a comment to T139873: Can't delete en:File:Testing_protection_level_reset_on_delete_and_restore.png.
I just managed to delete the file using the normal web interface.
Nov 1 2016
Nov 1 2016
Jackmcbarn awarded T71441: Feature request: add detection for disambiguation pages to Scribunto a Dislike token.
Aug 23 2016
Aug 23 2016
Liuxinyu970226 awarded T63993: Babel language codes should be normalised to lower case when used in categories a The World Burns token.
Jul 11 2016
Jul 11 2016
MrStradivarius added a comment to T139873: Can't delete en:File:Testing_protection_level_reset_on_delete_and_restore.png.
I'm reopening this. @Pokefan95: the issue does seem to be the same as at the other bug, but the page still needs to be deleted. That will require help from someone with access to the database, I'm guessing. I just tried to delete it again today, and it failed with the same error, so it doesn't look like waiting will help things.
Jul 10 2016
Jul 10 2016
MrStradivarius updated the task description for T139873: Can't delete en:File:Testing_protection_level_reset_on_delete_and_restore.png.
May 27 2016
May 27 2016
MrStradivarius updated the task description for T136375: Rollback T88044 (broke rollback-related utilities).
In T136375#2335622, @MrStradivarius wrote:This was also affecting my ConfirmRollback script.
This was also affecting my ConfirmRollback script. If you have the script installed and click on a rollback link on a page that you have set to "confirm", then the script will pop up a dialog saying "Revert n edits by SomeUser?" After the change, the rollback would occur directly after the initial click on the rollback link, regardless of the dialog.
MrStradivarius updated the task description for T136375: Rollback T88044 (broke rollback-related utilities).
Mar 22 2016
Mar 22 2016
MrStradivarius added a comment to T129764: New Error Message for "Error Access to the remote domain was denied." (echo-api-failure-cross-wiki) message and use errorObj?.
In T129764#2138147, @Catrope wrote:Could not load notifications from xxx.org. This may be caused by an ad blocker or other browser extension blocking the request.
Mar 17 2016
Mar 17 2016
MrStradivarius added a comment to T129764: New Error Message for "Error Access to the remote domain was denied." (echo-api-failure-cross-wiki) message and use errorObj?.
I also agree with @Jay8g that it would be good to do something about the notification being stuck in the menu with no obvious way to dismiss it. If the notification could link to the proper page on the remote domain that would work, if that is possible with the current architecture. Dropping the notification after one view would also work. One of those options plus a descriptive error message would be the sweet spot for this particular issue, I think.
MrStradivarius added a comment to T129764: New Error Message for "Error Access to the remote domain was denied." (echo-api-failure-cross-wiki) message and use errorObj?.
In T129764#2115370, @Quiddity wrote:I believe this is caused by the NoScript browser extension, and you just need to whitelist the domain.
Mar 13 2016
Mar 13 2016
MrStradivarius renamed T129764: New Error Message for "Error Access to the remote domain was denied." (echo-api-failure-cross-wiki) message and use errorObj? from Cross-wiki notifications from itwikisource: "Error Access to the remote domain was denied." to Cross-wiki notifications from Wikisource: "Error Access to the remote domain was denied.".
Feb 14 2016
Feb 14 2016
Jan 12 2016
Jan 12 2016
MrStradivarius added a comment to T114384: Standardise procedures for deprecating public-facing code.
In T114384#1927029, @Qgil wrote:Was this topic discussed at the Summit?
Jan 5 2016
Jan 5 2016
MrStradivarius updated the task description for T89733: Allow ContentHandler to expose structured data to the search engine..
Dec 27 2015
Dec 27 2015
MrStradivarius added a comment to T119735: mw.wikibase.getEntity(nil) returns an entity object on Flow page preview, but nil on page save.
In T119735#1905272, @hoo wrote:I don't think there's anything we can do in Wikibase to "fix" this and I'm not sure Flow should mess with the title used for parsing either. It might be a good idea to also use a random Topic: namespace title during comment previews in flow, but despite of that, I don't think this is actionable. Wontfix?
Dec 20 2015
Dec 20 2015
Dec 10 2015
Dec 10 2015
Nov 27 2015
Nov 27 2015
MrStradivarius renamed T119735: mw.wikibase.getEntity(nil) returns an entity object on Flow page preview, but nil on page save from Flow: A lua error during preview but not after saving to mw.wikibase.getEntity(nil) returns an entity object on Flow page preview, but nil on page save.
MrStradivarius added a comment to T119735: mw.wikibase.getEntity(nil) returns an entity object on Flow page preview, but nil on page save.
The direct cause of this error message is the logic in d:Module:Property documentation. On line 262 it assumes that the global variable id exists if the Wikibase entity returned by mw.wikibase.getEntity also exists on line 257. However, if no id is supplied as an argument to the module, the module is not invoked in the "Property talk" namespace, and mw.wikibase.getEntity(nil) returns the entity for the current page, then the id variable will be nil, and the Wikibase entity will exist. This will result in the error that you saw when the module tries to concatenate id to the URL string in line 262.
Nov 19 2015
Nov 19 2015
MrStradivarius added a comment to T118977: frame:preprocess does not work when module is called with subst:.
You need to put safesubst in the template you are trying to substitute as well. In Vorlage:en, change {{#if:{{{nolink|}}}|Englisch|[[Englisch]]}} to {{<includeonly>safesubst:</includeonly>#if:{{{nolink|}}}|Englisch|[[Englisch]]}}, and it should work.
MrStradivarius added a comment to T118977: frame:preprocess does not work when module is called with subst:.
To add to what Anomie and Jackmcbarn said, if you do need to use frame:preprocess with both substitution and transclusion, you can use safesubst. For example, frame:preprocess( '{{safesubst:Test}}' ) will always get you the expanded {{Test}} template.
Nov 12 2015
Nov 12 2015
MrStradivarius added a comment to T14974: The newline added to a template, magic word, variable, or parser function that returns line-start wikicode formatting (*#:; {|) causes unexpected parsing.
In T14974#1799933, @cscott wrote:I'm just saying that you can't "fix this bug" without fixing the content first.
Nov 5 2015
Nov 5 2015
MrStradivarius added a comment to T114384: Standardise procedures for deprecating public-facing code.
In T114384#1754743, @Qgil wrote:This task is mainly about agreeing on expectations on the developers changing APIs, right?
MrStradivarius updated the task description for T114384: Standardise procedures for deprecating public-facing code.
In T35355#380446, @Krinkle wrote:(In reply to comment #5)
Well, if we're talking about a new feature. Then I don't think there's a need
to support user scripts (if that's possible in a good way at all).If you're referring to /* [[links]] */ and Special:WhatLinksHere.. well, I'd say keep
using that until gadgets are the common way for creating scripts.
MrStradivarius updated the task description for T117836: Link and cite explanations overlapped by template selections at the top of articles.
Oct 27 2015
Oct 27 2015
Nnemo awarded T114736: Edit conflict on page move on enwiki results in loss of user input a Pterodactyl token.
Oct 26 2015
Oct 26 2015
Johan awarded T114384: Standardise procedures for deprecating public-facing code a Love token.
Oct 25 2015
Oct 25 2015
MrStradivarius updated the task description for T116532: The key shown in the "Cite error references duplicate key" error message contains underscores instead of spaces.
Oct 14 2015
Oct 14 2015
Ckoerner awarded T114384: Standardise procedures for deprecating public-facing code a Like token.
Oct 13 2015
Oct 13 2015
MrStradivarius updated the task description for T114384: Standardise procedures for deprecating public-facing code.
MrStradivarius updated the task description for T114384: Standardise procedures for deprecating public-facing code.
MrStradivarius added a comment to T114384: Standardise procedures for deprecating public-facing code.
In T114384#1720920, @Legoktm wrote:The procedure for api.php deprecation and updates is documented at https://www.mediawiki.org/wiki/Requests_for_comment/API_roadmap (could be moved to a better page I suppose).
MrStradivarius added a comment to T114384: Standardise procedures for deprecating public-facing code.
In T114384#1720147, @Qgil wrote:At the Developer Summit, we should decide whether...
In order to reach to such decision at the Summit, what would need to start being discussed now?
Oct 8 2015
Oct 8 2015
Aklapper awarded T114384: Standardise procedures for deprecating public-facing code a Love token.
Oct 6 2015
Oct 6 2015
Oct 1 2015
Oct 1 2015
Ricordisamoa awarded T114384: Standardise procedures for deprecating public-facing code a Love token.
Sep 24 2015
Sep 24 2015
MrStradivarius added a comment to T108566: Non-finalised input is added to the document when using the Anthy Japanese IME with VisualEditor.
In T108566#1670886, @Esanders wrote:At the moment our undo grouping is completely time based. Other editors appear to be at least partially based on wordbreaks, e.g. undo deletes words at a time. That could help with 1.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL