Last modified: 2012-04-09 08:42:53 UTC
If a user causes a e-mail notification (by editing another user's talk page, for example) and the edit summary used contains a template ("{{foo}}", for example), the template will be expanded in the notification e-mail. A snippet from a recent e-mail notification from the English Wikipedia where the edit summary originally contained "{{User page}} (get rid of it if you want). Consider it to be a suggestion.": --- The Wikipedia page "User talk:MZMcBride" has been changed on 25 February 2012 by 7&6=thirteen, with the edit summary: <table class="plainlinks ombox ombox-notice " style="margin-left: 0; margin-right: 0; border:1px solid #ffc9c9; background-color: #fffff3;"> <tr> <td class="mbox-empty-cell"></td> <td class="mbox-text" style="font-size: 85%; text-align: center"> --- I played around with https://test.wikipedia.org/wiki/Template:ENotif_expansion_test to see if you could fool an e-mail client into using the wrong subject line. It seems my e-mail client (Microsoft Entourage) is smart enough to not be fooled, at least. Between the unsanitized HTML and the ability to insert header lookalikes, this feels very dirty. I haven't yet been able to exploit this template expansion with my e-mail client, but I'm not so sure I trust other e-mail clients (cf. bug 25231) to behave reasonably. There's no real point in the template expansion of the edit summaries, as far as I can tell. I think it should be removed, though this may upset people if they've been relying on the behavior as a hack of some kind.
This is definitely a bug, which I didn't notice before (?). Confirmed in 1.19wmf1, as I've just received a notification for https://www.mediawiki.org/w/index.php?title=MediaWiki_1.19%2FRoadmap&diff=504610&oldid=503855 with Editor's summary: /* Deployment schedule */ [[File:Yes_check.svg|15px| ]] '''Done'''
This can get very annoying... http://p.defau.lt/?Ya2vgKhfPdC9ypCLmeb_Vw
*** This bug has been marked as a duplicate of bug 35019 ***
