Last modified: 2014-07-06 22:18:25 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T69547, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 67547 - Missing system messages are doubly escaped at Special:Specialpages
Missing system messages are doubly escaped at Special:Specialpages
Status: PATCH_TO_REVIEW
Product: MediaWiki
Classification: Unclassified
Special pages (Other open bugs)
unspecified
All All
: Normal minor (vote)
: ---
Assigned To: Nobody - You can work on this!
: i18n
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-05 02:20 UTC by This, that and the other (TTO)
Modified: 2014-07-06 22:18 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description This, that and the other (TTO) 2014-07-05 02:20:26 UTC 
[[foundation:Special:SpecialPages#mw-specialpagesgroup-other]] has

Other special pages

    <mathshowimage>
    VIPS scaling test page

[[wikitech:Special:SpecialPages#mw-specialpagesgroup-nova]] has

OpenStack Nova

    <novaresources>
    Manage instance proxies
    Manage instances
etc

Obviously humans should never get to see the > < entities without viewing the source.
Comment 1 Bawolff (Brian Wolff) 2014-07-05 06:18:40 UTC 
Humans should also never see a missing system message. (In ideal world)
Comment 2 Bawolff (Brian Wolff) 2014-07-05 06:34:14 UTC 
Hmm possibly we should do something like:

 diff --git a/includes/Message.php b/includes/Message.php
 index 826d55b..e340063 100644
 --- a/includes/Message.php
 +++ b/includes/Message.php
 @@ -638,7 +638,7 @@ class Message {
 
                if ( $string === false ) {
                        $key = htmlspecialchars( is_array( $this->key ) ?  $this->key[0] : $this->key );
 -                       if ( $this->format === 'plain' ) {
 +                       if ( $this->format === 'plain' || $this->format === 'text' ) {
                                 return '<' . $key . '>';
                         }
                         return '&lt;' . $key . '&gt;';


OTOH, what if users incorrectly use ->text() somewhere they shouldn't? Current behaviour would be to output a message from MW namespace unescaped, which is  bad, but not horrible since only admins can edit MW namespace. After this change, if user can control the name of the message, they could possibly have an XSS in that situation. [cc'ing Niklas in case he has any thoughts on that]

----

getDescription() should perhaps also do better when MW message is missing. Incoming patch for that part.
Comment 3 Gerrit Notification Bot 2014-07-05 06:46:41 UTC 
Change 144253 had a related patch set uploaded by Brian Wolff:
Degrade gracefully on missing special page description message.

https://gerrit.wikimedia.org/r/144253
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links