Svoboda | Graniru | BBC Russia | Golosameriki | Facebook
BBC RussianHomePhabricator
Log In
Create Task
Maniphest T200997

Add raw HTML messages in WMF-deployed extensions to $wgRawHtmlMessages
Open, MediumPublic
Actions

Description

Following up on the work being done for T45646, I've identified the following raw HTML messages in WMF-deployed extensions:

  • WikimediaMessages
    • wikimedia-mobile-license-links
    • wikimedia-copyright
    • wikidata-copyright
    • wikimedia-feedback-termsofuse
    • Others?
  • JsonConfig
    • jsonconfig-license
    • Others?
  • TimedMediaHandler
    • some raw <a> tags can be seen in the i18n file, I haven't gone through to check which other messages are raw HTML
    • Others?
  • WikiEditor
    • all help messages (wikieditor-toolbar-help-*)
    • all titles of jQuery UI dialogs (wikieditor-toolbar-tool-*-title)
    • Others?
  • Gadgets
    • MediaWiki:Gadgets-definition (and possibly others?)
    • Others?

These messages should be added to the raw HTML messages list in extension.json, support for which is being added by @Tgr in his patch.

Needless to say, this list is not exhaustive. There are probably many other raw HTML messages, and a proper audit should be done. Perhaps @Bawolff, who wrote phan-taint-check-plugin, might have thoughts on this?

Details

SubjectRepoBranchLines +/-
Fix escaping of cx-entrypoint-dialog-page-doesnt-exist-yetmediawiki/extensions/ContentTranslationmaster+1 -3
Escape one more messagemediawiki/extensions/TimedMediaHandlermaster+1 -1
Fix message escaping or mark as rawmediawiki/extensions/TimedMediaHandlermaster+19 -8
Mark some messages as raw HTMLmediawiki/extensions/WikiEditormaster+69 -0
Mark MediaWiki:Gadgets-definition as a raw HTML messagemediawiki/extensions/Gadgetsmaster+3 -0
Mark some raw HTML messagesmediawiki/extensions/JsonConfigmaster+3 -0
Mark some raw HTML messagesmediawiki/extensions/WikimediaMessagesmaster+6 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

TTO triaged this task as Medium priority.Aug 2 2018, 10:42 AM
TTO created this task.
Tgr added a comment.Aug 5 2018, 11:10 AM
This comment was removed by Tgr.
gerritbot subscribed.Aug 5 2018, 11:17 AM

Change 450445 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/WikimediaMessages@master] Mark some raw HTML messages

https://gerrit.wikimedia.org/r/450445

gerritbot added a project: Patch-For-Review.Aug 5 2018, 11:17 AM
gerritbot added a comment.Aug 5 2018, 11:31 AM

Change 450449 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/JsonConfig@master] Mark some raw HTML messages

https://gerrit.wikimedia.org/r/450449

Tgr mentioned this in T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default.Aug 27 2018, 2:50 PM
RP88 subscribed.Aug 27 2018, 3:01 PM
Jdforrester-WMF updated the task description. (Show Details)Aug 27 2018, 4:14 PM
Jdforrester-WMF updated the task description. (Show Details)
gerritbot added a comment.Aug 27 2018, 5:30 PM

Change 455603 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/extensions/Gadgets@master] Mark MediaWiki:Gadgets-definition as a raw HTML message

https://gerrit.wikimedia.org/r/455603

Jdforrester-WMF subscribed.Aug 27 2018, 5:33 PM
gerritbot added a comment.Aug 27 2018, 5:48 PM

Change 450445 merged by jenkins-bot:
[mediawiki/extensions/WikimediaMessages@master] Mark some raw HTML messages

https://gerrit.wikimedia.org/r/450445

Jdforrester-WMF updated the task description. (Show Details)Aug 27 2018, 5:57 PM
ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)).Aug 27 2018, 6:00 PM
gerritbot added a comment.Aug 27 2018, 8:32 PM

Change 450449 merged by jenkins-bot:
[mediawiki/extensions/JsonConfig@master] Mark some raw HTML messages

https://gerrit.wikimedia.org/r/450449

Jdforrester-WMF updated the task description. (Show Details)Aug 27 2018, 8:34 PM
gerritbot added a comment.Aug 28 2018, 9:59 PM

Change 456030 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/extensions/WikiEditor@master] Mark some messages as raw HTML

https://gerrit.wikimedia.org/r/456030

gerritbot added a comment.Aug 30 2018, 2:54 AM

Change 455603 merged by jenkins-bot:
[mediawiki/extensions/Gadgets@master] Mark MediaWiki:Gadgets-definition as a raw HTML message

https://gerrit.wikimedia.org/r/455603

ReleaseTaggerBot edited projects, added MW-1.32-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)); removed MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)).Aug 30 2018, 3:00 AM
Jdforrester-WMF updated the task description. (Show Details)Aug 30 2018, 4:37 PM
PerfektesChaos subscribed.EditedSep 15 2018, 9:13 AM

I am happy with the current task.

However, I would like to see a deprecation process initiated now.

  • WMF projects which make use of unsanitizable raw HTML today shall be informed and asked to convert obeying wikitext limitations.
  • Projects in the outer world shall be informed that raw HTML is deprecated and will fade out within two releases.
  • If not defined yet a $wgHtmlHead feature for <meta> stuff might be introduced for deliberate configuration, available for site sysops only rather than any wiki page.
  • TimedMediaHandler and WikiEditor will fade out in the long run, as far as I know. No need to hurry.

The final target should be to sanitize every system message, but it might take some years to reach that point. However, it is more clear if there are no exceptions and backdoors and hidden sophisticated bypasses.

Agabi10 subscribed.Sep 15 2018, 3:55 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
gerritbot added a comment.Oct 11 2018, 10:43 PM

Change 456030 merged by jenkins-bot:
[mediawiki/extensions/WikiEditor@master] Mark some messages as raw HTML

https://gerrit.wikimedia.org/r/456030

ReleaseTaggerBot edited projects, added MW-1.32-notes (WMF-deploy-2018-10-16 (1.32.0-wmf.26)); removed MW-1.32-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)).Oct 11 2018, 11:00 PM
Tgr updated the task description. (Show Details)Oct 11 2018, 11:22 PM
Bawolff added a comment.Oct 12 2018, 4:12 AM
In T200997#4585562, @PerfektesChaos wrote:

I am happy with the current task.

However, I would like to see a deprecation process initiated now.

  • WMF projects which make use of unsanitizable raw HTML today shall be informed and asked to convert obeying wikitext limitations.
  • Projects in the outer world shall be informed that raw HTML is deprecated and will fade out within two releases.
  • If not defined yet a $wgHtmlHead feature for <meta> stuff might be introduced for deliberate configuration, available for site sysops only rather than any wiki page.
  • TimedMediaHandler and WikiEditor will fade out in the long run, as far as I know. No need to hurry.

The final target should be to sanitize every system message, but it might take some years to reach that point. However, it is more clear if there are no exceptions and backdoors and hidden sophisticated bypasses.

Just stating for the record, that raw html messages is generally considered "deprecated" since eons ago. No new code should introduce new raw html messages, and raw html messages are grounds for an extension to fail the extension security review that new extensions are required to go through.

It may take a while to phase out some legacy stuff (some people apparently rely on the copyright message being raw html), but any messages that just happen to be raw html with nobody depending on it being that way should be phased out aggressively.

Tgr updated the task description. (Show Details)Oct 12 2018, 6:33 PM
Tgr added a comment.Oct 12 2018, 9:11 PM
In T200997#4660578, @Bawolff wrote:

Just stating for the record, that raw html messages is generally considered "deprecated" since eons ago. No new code should introduce new raw html messages, and raw html messages are grounds for an extension to fail the extension security review that new extensions are required to go through.

AFAIK there is no equivalent of rawParam in Javascript, so if your message takes a HTML parameter (which is pretty common), you have to make it a raw HTML message, even if the message itself is not intended to contain any HTML.

gerritbot added a comment.Oct 12 2018, 11:03 PM

Change 467003 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/TimedMediaHandler@master] Fix message escaping or mark as raw

https://gerrit.wikimedia.org/r/467003

gerritbot added a comment.Oct 13 2018, 12:19 AM

Change 467003 merged by jenkins-bot:
[mediawiki/extensions/TimedMediaHandler@master] Fix message escaping or mark as raw

https://gerrit.wikimedia.org/r/467003

Krinkle subscribed.Oct 13 2018, 12:32 AM
In T200997#4662531, @Tgr wrote:

AFAIK there is no equivalent of rawParam in Javascript, so if your message takes a HTML parameter (which is pretty common), you have to make it a raw HTML message, even if the message itself is not intended to contain any HTML.

I don't see it as common, but it does happen sometimes indeed. However, I've never seen someone turn the message into a raw HTML message for that reason. We have at least two alternative routes that I see commonly used and are safe:

  1. The equivalent of a raw parameter in JS, is to first safely process the message (e.g. parsed or escaped), and then replace() the $-placeholder. This is exactly what the PHP code does, just abstracted behind a method call.
  2. If you have a DOM node (not unparsed raw HTML string), you can also use mediawiki.jqueryMsg which is capable of replacing a $-placeholder within an otherwise safely text-transformed or wikitext-parsed interface message.

Both of these approaches are used in core and various extensions.

Tgr updated the task description. (Show Details)Oct 13 2018, 3:24 AM

Fair enough.

This task should be done unless someone has an idea what to do about all the "Others?" fields.

Bawolff added a comment.Oct 15 2018, 5:09 AM

I tried using some grepping to see if I could find some more. Here's what i got:

for i in `find . -name '*.js' -type f`
	do if tr $'\n'$'\t' ' ' < "$i" | grep -o -e '[^ ]*\.html(\s*\(mw\.msg\s*([^()]*\([^()]*([^()]*)[^()]*\)*)*\|mw\.[mM]essage\s*([^()]*\([^()]*([^()]*)[^()]*\)*)\s*\.\s*\(params(\([^()]*([^()]*)[^()]*\)*)\.\)*\(plain\|text\)\s*(\s*)\)\s*)*'
	then echo $'\t'--^ Raw html message in file "$i";fi;
done
).html(      mw.msg( 'mwe-embedplayer-credit-title',       // get the link       $( '<div>' ).append
	--^ Raw html message in file ./extensions/TimedMediaHandler/resources/mw.MediaWikiPlayerSupport.js
.html( mw.msg( 'cx-entrypoint-dialog-page-doesnt-exist-yet', targetAutonym ) )
	--^ Raw html message in file ./extensions/ContentTranslation/modules/entrypoint/ext.cx.entrypoint.js

[Note i don't have all extensions downloaded]

Bawolff mentioned this in T206970: Investigate using simple grep to check js for raw html messages.Oct 15 2018, 5:12 AM
gerritbot added a comment.Oct 15 2018, 6:30 AM

Change 467255 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/TimedMediaHandler@master] Escape one more message

https://gerrit.wikimedia.org/r/467255

gerritbot added a comment.Oct 15 2018, 6:33 AM

Change 467256 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/ContentTranslation@master] Fix escaping of cx-entrypoint-dialog-page-doesnt-exist-yet

https://gerrit.wikimedia.org/r/467256

Jdforrester-WMF added a comment.Oct 15 2018, 5:52 PM
In T200997#4663076, @Tgr wrote:

Fair enough.

This task should be done unless someone has an idea what to do about all the "Others?" fields.

My hope in writing that was that someone would ride to the rescue with phan to give us confidence we've spotted at least most or all of them.

Legoktm subscribed.Oct 15 2018, 6:00 PM
In T200997#4665043, @Bawolff wrote:

[Note i don't have all extensions downloaded]

Your bash magic has some issues with files with spaces in their name, but here's the rest of the output against everything in Gerrit.

).html( mw.message( 'bs-extendedsearch-search-center-result-no-results' ).plain() )
	--^ Raw html message in file ./BlueSpiceExtendedSearch/resources/bs.extendedSearch/panel/Results.js
.html( mw.message( 'bs-extendedsearch-autocomplete-result-primary-no-results-label' ).plain() )
.html( mw.message( 'bs-extendedsearch-autocomplete-result-secondary-results-label' ).plain() )
.html( mw.message( 'bs-extendedsearch-autocomplete-modified-time-label', this.mtime ).plain() )
	--^ Raw html message in file ./BlueSpiceExtendedSearch/resources/bs.extendedSearch/mixin/Autocomplete.js
).html( mw.msg( 'poll-js-action-complete' ) )
).html( mw.msg( 'poll-js-action-complete' ) )
	--^ Raw html message in file ./PollNY/resources/js/Poll.js
).html(      mw.msg( 'mwe-embedplayer-credit-title',       // get the link       $( '<div>' ).append
	--^ Raw html message in file ./TimedMediaHandler/resources/mw.MediaWikiPlayerSupport.js
.html( mw.msg( 'imagerating-category', category ) )
	--^ Raw html message in file ./ImageRating/resources/js/ImageRating.js
.html( mw.msg( 'cx-entrypoint-dialog-page-doesnt-exist-yet', targetAutonym ) )
	--^ Raw html message in file ./ContentTranslation/modules/entrypoint/ext.cx.entrypoint.js
.html( mw.msg(       'smitespam-created-by',       users[groupCreator] ? users[groupCreator].link : groupCreator      )     )
	--^ Raw html message in file ./SmiteSpam/static/js/ext.smitespam.js
gerritbot added a comment.Oct 15 2018, 6:10 PM

Change 467255 merged by jenkins-bot:
[mediawiki/extensions/TimedMediaHandler@master] Escape one more message

https://gerrit.wikimedia.org/r/467255

Nikerabbit subscribed.Oct 16 2018, 6:53 AM
gerritbot added a comment.Oct 16 2018, 7:19 AM

Change 467256 merged by jenkins-bot:
[mediawiki/extensions/ContentTranslation@master] Fix escaping of cx-entrypoint-dialog-page-doesnt-exist-yet

https://gerrit.wikimedia.org/r/467256

Platonides mentioned this in T207522: cx-entrypoint-dialog-page-doesnt-exist-yet showing <br/>.Oct 19 2018, 10:07 PM
Ladsgroup removed a project: Patch-For-Review.May 28 2019, 3:37 PM
Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
Krinkle unsubscribed.Feb 10 2020, 11:41 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
DannyS712 subscribed.Sep 21 2020, 11:52 PM
Aklapper added a comment.Jun 6 2021, 9:44 PM

Can this task be closed as the task title talks about "WMF-deployed extensions", and dedicated subtasks of T2212 be created for BlueSpice, ImageRating, MediaWiki-extensions-SmiteSpam, PollNY (which don't have a string RawHtmlMessages in their extension.json files) as per T200997#4667849 ?

Jdforrester-WMF added a comment.Jun 7 2021, 2:41 PM
In T200997#7137150, @Aklapper wrote:

Can this task be closed as the task title talks about "WMF-deployed extensions", and dedicated subtasks of T2212 be created for BlueSpice, ImageRating, MediaWiki-extensions-SmiteSpam, PollNY (which don't have a string RawHtmlMessages in their extension.json files) as per T200997#4667849 ?

It's currently waiting for an expert to audit and confirm that all such messages have been done, so no.

sbassett mentioned this in T340201: Use custom language code to find i18n XSS issues.Jul 10 2023, 4:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits