Last modified: 2014-07-06 22:18:25 UTC
[[foundation:Special:SpecialPages#mw-specialpagesgroup-other]] has Other special pages <mathshowimage> VIPS scaling test page [[wikitech:Special:SpecialPages#mw-specialpagesgroup-nova]] has OpenStack Nova <novaresources> Manage instance proxies Manage instances etc Obviously humans should never get to see the > < entities without viewing the source.
Humans should also never see a missing system message. (In ideal world)
Hmm possibly we should do something like: diff --git a/includes/Message.php b/includes/Message.php index 826d55b..e340063 100644 --- a/includes/Message.php +++ b/includes/Message.php @@ -638,7 +638,7 @@ class Message { if ( $string === false ) { $key = htmlspecialchars( is_array( $this->key ) ? $this->key[0] : $this->key ); - if ( $this->format === 'plain' ) { + if ( $this->format === 'plain' || $this->format === 'text' ) { return '<' . $key . '>'; } return '<' . $key . '>'; OTOH, what if users incorrectly use ->text() somewhere they shouldn't? Current behaviour would be to output a message from MW namespace unescaped, which is bad, but not horrible since only admins can edit MW namespace. After this change, if user can control the name of the message, they could possibly have an XSS in that situation. [cc'ing Niklas in case he has any thoughts on that] ---- getDescription() should perhaps also do better when MW message is missing. Incoming patch for that part.
Change 144253 had a related patch set uploaded by Brian Wolff: Degrade gracefully on missing special page description message. https://gerrit.wikimedia.org/r/144253