Last modified: 2013-07-17 14:30:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T50567, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 48567 - Templates getting substituted when used in labels, descriptions, and aliases
Templates getting substituted when used in labels, descriptions, and aliases
Status: VERIFIED FIXED
Product: MediaWiki extensions
Classification: Unclassified
WikidataRepo (Other open bugs)
unspecified
All All
: Immediate major (vote)
: ---
Assigned To: Wikidata bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-17 02:15 UTC by T. H. Kelly (Pink&)
Modified: 2013-07-17 14:30 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description T. H. Kelly (Pink&) 2013-05-17 02:15:41 UTC 
If you set an item's label,[1] description,[2] or alias[3] to a valid template call, the software actually renders the relevant field as if you'd input the substituted text of the template. This happens both with direct editing and with SetLabel.

Note also that HTML markup shows up in the page title as rendered by one's browser (MediaWiki:pagetitle, that is), but not  in the rendered label.[4] I also can't quite figure out why the "<some item>" shows up in the page title but not in the label - everything else that appears within curly brackets in the template's markup is excluded from both.

Obviously there aren't that many valid reasons to set a label, description, or alias as a valid template call (I discovered this bug when someone tried to request an item's deletion by setting its label to {{Delete}}), but clearly this shouldn't be happening.

1. http://www.wikidata.org/w/index.php?diff=43025948
2. http://www.wikidata.org/w/index.php?diff=43027470
3. http://www.wikidata.org/w/index.php?diff=43027503
4. http://www.wikidata.org/w/index.php?oldid=43025948
Comment 1 pyfisch 2013-06-09 19:30:10 UTC 
Also String Properties execute templates. They break the format:
https://www.wikidata.org/w/index.php?title=Q4115189&oldid=50036221
Comment 2 pyfisch 2013-06-09 19:37:51 UTC 
Also some tags work: <nowiki> and <code>, others are not checked. Nowiki does not work in the Users language label but in the other which are shown.
Comment 3 Daniel Kinzler 2013-07-01 12:49:01 UTC 
The issue seems to be that wfTemplate which uses the Template class that derives from Message, which will expand {{xxx}} in parameters per default.  Parameters must either be sanitized/escaped before being passed in, or they need to be passed as raw parameters (in which case we have to be sore they don't contain evil html).
Comment 4 Henning 2013-07-16 15:52:12 UTC 
https://gerrit.wikimedia.org/r/#/c/72499/
Comment 5 abraham.taherivand 2013-07-17 14:30:21 UTC 
Verified in Wikidata demo time July 27th
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links