TL;DR: some i18n messages used as HTML; imported nightly from translatewiki, but not automatically deployed to query.wikidata.org
The Wikidata Query Service UI (`wikidata/query/gui` in Gerrit) uses the “//x// results in //y// ms” message directly as HTML:
```lang=js,name=wikibase/queryService/ui/ResultView.js
$( '#response-summary' ).html(
wikibase.queryService.ui.i18n.getMessage(
'wdqs-app-resultbrowser-response-summary',
'$1 results in $2 ms',
[ api.getResultLength(), api.getExecutionTime() ]
)
);
```
If the message (either the English source or a translation) is edited to contain a `<script>` tag, the contents will be executed as soon as a query result is shown (which, for embed.html, is as soon as the page loads). To reproduce this issue, clone the repository, run `npm install`, apply a patch similar to
```lang=diff
diff --git a/i18n/en.json b/i18n/en.json
index e588694..f91a1b4 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -67 +67 @@
- "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms",
+ "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms<script>alert('hi')</script>",
```
then run `npm run start` and in the resulting browser window enter any query (e. g. `ASK{}`) and run it (e. g. pressing Ctrl+Enter, or clicking the blue “play” button).
Translations are imported from translatewiki.net by l10n-bot every night; however, they are not deployed automatically. (There is also a Jenkins job that rejects l10n-bot changes that appear to add HTML, which should prevent the automatic translation.) First, a corresponding update to the `wikidata/query/gui-deploy` repository needs to be built – this is supposed to happen automatically, but is currently broken due to T235651. Then, that update needs to be merged, and then the `gui` submodule of the `wikidata/query/deploy` needs to be updated to point to the new build (with another Gerrit change), and this change needs to be deployed (with `scap`). (This process is subject to change in T235639.) In theory, those reviews can detect the malicious message, but in practice I don’t think we expect actual code review to take place in those stages.