Last modified: 2011-05-24 21:11:38 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T31094, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 29094 - 'addurl' does not catch urls entered in "<a href" tags


Summary:	'addurl' does not catch urls entered in "<a href" tags

Status:	RESOLVED INVALID

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	ConfirmEdit (CAPTCHA extension) (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Highest major (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-05-22 18:13 UTC by Brad Will (tmbw.net)
Modified:	2011-05-24 21:11 UTC (History)
CC List:	2 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Brad Will (tmbw.net) 2011-05-22 18:13:23 UTC

Comment 1 Brad Will (tmbw.net) 2011-05-22 18:16:50 UTC

The confirmedit extension is not catching urls that are added to pages within html tags.  If a user enters a url within an "<a" tag for example, the captcha will not trigger.

Comment 2 Mark A. Hershberger 2011-05-24 17:47:40 UTC

Bumping priority since this could invite abuse.

Comment 3 Bawolff (Brian Wolff) 2011-05-24 20:28:26 UTC

I cannot reproduce this (on enwikinews).

Comment 4 Brad Will (tmbw.net) 2011-05-24 20:55:57 UTC

It doesn't look like wikinews' sanitizer allows "a" tags to be entered.  The wiki on which this was found, does allow "a" tags.  Is there a wikimedia foundation installation out there somewhere that would allow them, where we could test?

Comment 5 Bawolff (Brian Wolff) 2011-05-24 21:00:55 UTC

(In reply to comment #4)
> It doesn't look like wikinews' sanitizer allows "a" tags to be entered.  The
> wiki on which this was found, does allow "a" tags.  Is there a wikimedia
> foundation installation out there somewhere that would allow them, where we
> could test?

I thought you meant adding a <a> tag without it being interpreted.

I didn't think it was possible to configure mediawiki to allow <a> tags (Not counting if you enable $wgRawHtml, but if you have that on, and are worried about spam, you have _much_ bigger problems).

Can you describe exactly how the wiki in question is configured to allow <a> tags?

Comment 6 Bawolff (Brian Wolff) 2011-05-24 21:07:29 UTC

Note, guessing that your wiki is http://tmbw.net (based on your name), it looks as if most of the sanitizer code has been disabled, which has significant security implications...


As for the actual bug, since MediaWiki is not designed to allow <a> tags, I'm not sure if its a bug that the extension doesn't work with <a> tags.

Comment 7 Brion Vibber 2011-05-24 21:11:38 UTC

Resolving INVALID -- the wiki being discussed appears to have disabled all of MediaWiki's security protections and is emitting unsanitized HTML. This allows cross-site scripting attacks of all sorts and is not something that MediaWiki allows, recommends, or supports.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links