Page MenuHomePhabricator
Create Task
Maniphest T13296

URLs in the help mode double escaped
Closed, ResolvedPublic
Actions

Description

Author: Bryan.TongMinh

Description:
URLs are double escaped in the pretty print xml help mode. (Just the main page, see http://commons.wikimedia.org/w/api.php).

Version: 1.11.x
Severity: enhancement
URL: http://commons.wikimedia.org/w/api.php

Details

Reference
bz11296

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 9:56 PM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz11296.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 11 2007, 8:06 PM
brion added a comment.Sep 11 2007, 8:22 PM

The API help message seems to be abusing the XML pretty-printer, assuming that output will be partially de-escaped. This is fairly rude. :)

Now that the pretty-printer isn't a security hazard, it's formatting output correctly; that is, as given.

In theory we could special-case the pretty-printer, but I suspect it would more sense to just have an HTML interface for this? The URL detection in particular is very fragile as back-interpreting the original code is going to depend on how that particular formatter treats all kinds of characters.

brion added a comment.Sep 13 2007, 3:27 PM
  • Bug 11302 has been marked as a duplicate of this bug. ***
bzimport added a comment.Sep 14 2007, 6:18 PM

cannon.danielc wrote:

Well, the only characters that really seem to be causing problems in the links are ampersands. Could we maybe just special-case these for now?

I really think it would make much more sense just to provide, as you suggested, our own html, not formatted xml, help document at the entry point, but I believe the reason Yuri wanted to do it this way was so that we would be handing back valid xml when an error occurs (the help message is shown on all errors). It would, however, make more sense to me for an error just to return a simple doc indicating the error, and only display the help document when the api is accessed without any parameters.

Catrope added a comment.Sep 15 2007, 3:23 PM

(In reply to comment #3)

It would, however, make more sense to me for an error just to return a
simple doc indicating the error, and only display the help document when the
api is accessed without any parameters.

This has been discussed before. It was agreed (and implemented) that the help document be shown only if the requested format is an FM (fancy markup) format. If not, the help text will not be shown unless the users explicitly requests it with action=help. See also:

http://www.mediawiki.org/w/api.php?action=query&list=dfasdf
http://www.mediawiki.org/w/api.php?action=query&list=dfasdf&format=xml

bzimport added a comment.Sep 18 2007, 10:12 PM

cannon.danielc wrote:

Committed r25922, which is a temporary fix for this. Leaving the bug open until we find a better solution (most likely, a fully html version of the help).

bzimport added a comment.Sep 18 2007, 10:13 PM

cannon.danielc wrote:

(In reply to comment #5)

Committed r25922, which is a temporary fix for this. Leaving the bug open until
we find a better solution (most likely, a fully html version of the help).

Sorry, that was r25923

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL