Page MenuHomePhabricator
Create Task
Maniphest T9623

MediaWiki:Sidebar can render invalid HTML IDs
Closed, ResolvedPublic
Actions

Description

Author: mitch.waters.iii

Description:
When changing the Table of Contents by editing the MediaWiki:Sidebar page,
entries with spaces or some special characters causes the rendered HTML ID to be
invalid. The MediaWiki software is great about rendering valid HTML but this
could easily be overlooked as it only is a problem whith certain edits to the
Sidebar.

The following example will produce the error:

  • developer tools
    • Developer's Corner|Developer's Corner

The htmlspecialchars function does nothing about the space or the "'" (single
quote), both of which are invalid.

From w3.org:
ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by
any number of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons
(":"), and periods (".") (see: http://www.w3.org/TR/html4/types.html#h-6.2).

The following skins have this problem:
Monobook
Chick
MySkin
Simple

Version: 1.8.x
Severity: trivial

Details

Reference
bz7623

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:23 PM
bzimport added a project: MediaWiki-Parser.
bzimport set Reference to bz7623.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Oct 18 2006, 2:18 PM
bzimport added a comment.Oct 18 2006, 11:06 PM

dto wrote:

Creating something like MediaWiki:Developerscorner with text "Developer's
Corner" and then saying " developerscorner|Developer's Corner" or "
developerscorner|developerscorner" will do the trick.

But maybe invalid chars should still be stripped anyways?

bzimport added a comment.Oct 19 2006, 1:11 AM

mitch.waters.iii wrote:

Yeah, I know how to get around it, and it's not breaking any functionality. It's
just anoying. I can post a patch, but I just basically put a
preg_replace("/[^a-z0-9-_:\.]/i", "_", $id) in where it was rendering it in
Monobook.php. This also takes care of it for the other three skins. I didn't
think that this was entirely correct at first, since it could potentially
violate the "must begin with a character" rule, but I then noticed that the skin
was putting a "p-" in the front of the ID anyway, which satisfies this rule.

Also, you mentioned the link (** Developer's Corner|Developer's Corner) being
invalid, but the header line (* developer tools) also creates an invalid link,
since it contains spaces.

I've gone ahead and added a patch... and changed the severity to trivial, since
that's really what this is.

bzimport added a comment.Oct 19 2006, 1:14 AM

mitch.waters.iii wrote:

Proposed patch using preg_replace to get rid of the offending characters in the ID of elements generated by entries in MediaWiki:Sidebar

Attached:

Monobook.php.patch1 KBDownload

bzimport added a comment.Oct 19 2006, 2:30 AM

ayg wrote:

Fixed in r17103, using Sanitizer::escapeId instead of preg_replace.

bzimport added a comment.Nov 26 2006, 7:57 PM

ayg wrote:

*** Bug 5993 has been marked as a duplicate of this bug. ***

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL