Page MenuHomePhabricator
Create Task
Maniphest T2212

Some MediaWiki: messages not safe in HTML (tracking)
Open, MediumPublic
Actions

Description

Many MediaWiki: messages are still used as raw HTML output. Strict XML parsing by user agents would make
it very difficult for a sysop modifying them through the wiki to recover from an error which creates invalid
output -- the entire wiki interface can be broken.

Messages should be converted to either plaintext (via htmlspecialchars()) or wikitext which will go through
normalization. (This is an ongoing effort.)

Details

Reference
bz212

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT2212 Some MediaWiki: messages not safe in HTML (tracking)
 ResolvedNoneT3989 Some Editpage addhtml to addwikitext conversion
 ResolvedNoneT2210 Google fallback search form not valid XHTML
 DeclinedNoneT4516 Make OutputPage::setSubtitle() use the full wikisyntax
 InvalidNoneT3037 Language files have inconsistent mark-up
 ResolvedNoneT3023 Language files are not XHTML-compliant.
 ResolvedhasharT4369 [[MediaWiki:Missingarticle]] using <p> without closing </p>
 ResolvedAmire80T18026 MediaWiki:Revision-info should accept wikimarkup
 OpenNoneT21291 Mechanism to find usages of raw-html messages
 OpenNoneT45646 "MediaWiki:Copyright" message allows raw HTML
 InvalidNoneT85864 Special pages, actions and views whose messages don't escape text
 Resolved Mattflaschen-WMFT112469 Fix unsanitized message in PageTriage
 ResolvedmatmarexT113669 Unescaped messages on Special:UploadWizard
 DeclinedNoneT120364 Fix unsanitized messages in MassAction
 DuplicateNoneT26309 Some interface messages are broken if filter name contains template syntax
 ResolvedMtDuT152831 SmiteSpam has lots of HTML messages
 DuplicateNoneT85325 MediaWiki pages edited by non-sysop registered users in Commons via TranslatePostInitGroups
 ResolvedDevirkT111754 tags-create-explanation message allows raw HTML
 InvalidNoneT136700 Raw HTML in Special:ProtectedPages
Restricted Task
Restricted Task
 OpenNoneT200997 Add raw HTML messages in WMF-deployed extensions to $wgRawHtmlMessages
 ResolvedSecuritysbassettT255918 Unescaped message used in HTML on Special:Contributions (CVE-2020-25812)
 ResolvedSecurityGrunnyT278014 CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles
 ResolvedSecurityGrunnyT278058 CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist)
 ResolvedSecuritysbassettT297543 CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete
 ResolvedSecuritysbassettT299289 Unescaped messages in WikibaseMediaInfo
 ResolvedSecuritysbassettT308471 CVE-2022-34911: Username is not escaped in the "welcomeuser" message
 ResolvedSecuritysbassettT308473 CVE-2022-34912: Username not escaped in the contributions-title message
 ResolvedSecuritysbassettT347746 CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message
 ResolvedSecuritysbassettT347726 CVE-2023-51704: group-.*-member messages are not properly escaped on Special:log/rights
 ResolvedSecurityUmherirrenderT347744 i18n-xss vectors on Special:SecurePoll
 ResolvedjhsobyT353316 Fix security issues in youhavenewmessagesmanyusers and youhavenewmessages and make them translatable by translatewiki volunteers

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
bzimport added a comment.Apr 10 2005, 7:46 PM

avarab wrote:

Nevermind, the rest of those messages didn't need any modification, applied the
patch to HEAD.

AzaToth added a comment.Apr 14 2008, 8:22 PM

WP:BEANS violation:

  1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright
  2. ADD <img src="/w/api.php?action=logout" />
  3. FLEE

i.e. rouge admin can make everyone forced to log out.

demon added a comment.Jun 5 2008, 2:41 PM

(In reply to comment #7)

WP:BEANS violation:

  1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright
  2. ADD <img src="/w/api.php?action=logout" />
  3. FLEE

i.e. rouge admin can make everyone forced to log out.

You sure about this? I could be wrong, but I just tried it on my localhost and it didn't force a logout.

Nikerabbit added a comment.May 22 2009, 11:57 AM

I think I got most of them with my last commits r50881, r50882 and r50883. Keeping this bug open like this seems not quite useful. What I would like to is mechanism to detect this automatically, something that can be enabled during development. PHP's taint module seems a candidate, but as of now it is not easy to install.

Nikerabbit added a comment.Jun 19 2009, 9:09 AM

Created bug 19291 for that. Closing this now as INVALID, because this bug cannot be easily fixed as-is.

brion added a comment.Jun 23 2009, 11:07 PM

Reopening as there seems no reason to close it; bug 19291 looks like a request for a tool to aid in working on bug 212 issues.

bzimport added a comment.Jul 24 2009, 10:07 AM

happy.melon.wiki wrote:

Are there *any* messages that need to allow full (X)HTML?? Pages like the site footer use raw HTMl links, for example: is that still performance-necessary?

AzaToth added a comment.Aug 23 2009, 5:52 PM

(In reply to comment #8)

(In reply to comment #7)

WP:BEANS violation:

  1. GOTO http://en.wikipedia.org/wiki/MediaWiki:Copyright
  2. ADD <img src="/w/api.php?action=logout" />
  3. FLEE

i.e. rouge admin can make everyone forced to log out.

You sure about this? I could be wrong, but I just tried it on my localhost and
it didn't force a logout.

This still apply (just tested) Remember to modify the src="" to match your local install.

DanielFriesen added a comment.Jun 8 2013, 2:03 PM

Changing subject since we don't support XHTML 1.0 anymore ;).

Bawolff added a comment.Jun 8 2013, 3:30 PM

As an aside, people on wikinews use the raw html in [[mediawiki:Copyright]] to add rdf to the footer, to make them be picked up in google's creative commons content search.

DanielFriesen added a comment.Jun 8 2013, 3:35 PM

(In reply to comment #15)

As an aside, people on wikinews use the raw html in [[mediawiki:Copyright]]
to
add rdf to the footer, to make them be picked up in google's creative commons
content search.

Raw RDF comments instead of RDFa!!!

Qgil added a comment.Apr 14 2014, 1:55 AM

Interesting report history. :)

The fact is that nobody seems to be working or planning to work on this. Setting priority to Lowest accordingly.

Edokter added a comment.Apr 29 2014, 3:47 PM
  • Bug 43646 has been marked as a duplicate of this bug. ***
Edokter added a comment.Apr 29 2014, 8:24 PM
  • Bug 43646 has been marked as a duplicate of this bug. ***
Nemo_bis added a comment.May 3 2014, 9:17 AM

Converting to tracking bug per bug 43646 comment 6.

csteipp mentioned this in T76686: thumb.php outputs wikitext message as raw html.Dec 4 2014, 9:59 PM
Nemo_bis raised the priority of this task from Lowest to Medium.Dec 9 2014, 1:29 PM

Nikerabbit committed a number of patches. https://gerrit.wikimedia.org/r/#/q/topic:esc,n,z

demon unsubscribed.Dec 9 2014, 3:34 PM
Deskana set Security to None.Dec 9 2014, 4:15 PM
Deskana unsubscribed.
Anomie mentioned this in T45646: "MediaWiki:Copyright" message allows raw HTML.Dec 18 2014, 4:34 PM
Nemo_bis added a comment.Jan 2 2015, 7:04 PM

Tracking-Neverending or Epic?

Aklapper added a comment.Jan 5 2015, 12:24 PM

@Nemo_bis: If an end ("task resolved") can ever be clearly defined: epic. If not: tracking. I think the latter.

Nemo_bis added a subtask: T85325: MediaWiki pages edited by non-sysop registered users in Commons via TranslatePostInitGroups.Jan 6 2015, 4:42 PM
Liuxinyu970226 subscribed.Mar 3 2015, 10:26 AM
Glaisher subscribed.Aug 30 2015, 5:33 AM
TTO renamed this task from Many MediaWiki: messages not safe in HTML (tracking) to Some MediaWiki: messages not safe in HTML (tracking).Sep 8 2015, 7:02 AM
TTO updated the task description. (Show Details)
TTO subscribed.

Changed title from "Many" to "Some". A quick unscientific audit (prepending some inline JS to each message string in en.json) hasn't found many raw HTML messages at all. There are probably very few raw HTML messages remaining, I'll file tasks for any I come across and mark them "easy".

TTO added a subtask: T111754: tags-create-explanation message allows raw HTML.Sep 8 2015, 7:26 AM
Nemo_bis added a comment.Sep 10 2015, 7:31 AM

T85864 found hundreds just on the extensions enabled at translatewiki.net. There are probably hundreds more.

Qgil unsubscribed.Sep 10 2015, 7:34 AM
TTO added a comment.Sep 10 2015, 9:34 AM
In T2212#1623720, @Nemo_bis wrote:

T85864 found hundreds just on the extensions enabled at translatewiki.net. There are probably hundreds more.

This is a core task, my comment was referring to core only. My apologies for any confusion.

Ricordisamoa subscribed.Sep 16 2015, 3:10 PM
TTO closed subtask T111754: tags-create-explanation message allows raw HTML as Resolved.Nov 5 2015, 12:20 AM
Bawolff mentioned this in T120886: Make javascript editing permissions more fine grained and separate from normal editinterface right.Dec 8 2015, 11:46 PM
Meno25 unsubscribed.Feb 22 2016, 5:49 PM
TTO added a subtask: T136700: Raw HTML in Special:ProtectedPages.Jun 1 2016, 1:08 PM
TTO closed subtask T136700: Raw HTML in Special:ProtectedPages as Invalid.Jul 1 2016, 2:45 AM
Phabricator_maintenance removed a parent task: T4007: [DO NOT USE] Tracking bug [superseded by #Tracking].Jul 28 2016, 2:33 AM
Nemo_bis mentioned this in T156184: Make rawHTML mode not apply to system messages.Jan 31 2017, 9:53 PM
Tgr added a subtask: Restricted Task.Mar 19 2018, 6:50 AM
Tgr mentioned this in T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default.May 15 2018, 9:32 AM
Bawolff added a subtask: Restricted Task.Jul 5 2018, 5:04 PM
Dinoguy1000 mentioned this in T21291: Mechanism to find usages of raw-html messages.Aug 1 2018, 10:15 AM
Izno removed a parent task: T51337: Well formed XML (tracking).Sep 22 2018, 5:54 PM
Liuxinyu970226 removed a parent task: T2209: [DO NOT USE] HTML validity (tracking).Mar 16 2019, 1:44 PM
Liuxinyu970226 added a comment.EditedMar 16 2019, 1:51 PM

Dear author @brion, it's prefer to (request to) create tasks instead of opening tracking tasks which are nowadays nonsense under any circumstances.

Should we convert this old-decaded tracking task to a project? Or just archive this task?

Liuxinyu970226 moved this task from Tag to Transition suggested on the Tracking-Neverending board.Mar 16 2019, 1:54 PM
DannyS712 subscribed.Apr 18 2019, 7:39 AM
Anomie mentioned this in T236509: XSS on Special:UserRights.Oct 28 2019, 7:30 PM
sbassett mentioned this in T135591: Linker::specialLink() does not escape the link text.May 7 2020, 3:14 PM
JohanahoJ subscribed.Jun 6 2020, 5:44 PM

One message containing raw html is "MediaWiki:Mobile-frontend-editor-anonwarning". After a discussion on svwiki, I changed the wording of that message locally, i.e. on svwiki and not as a general change on Translatewiki, and while I was at it, I replaced the html with wikitext. It turns out that message is still not possible to edit for others than interface admins. Is that expected behaviour? If so, what have I missed?

Daimona added a subtask: T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812).Jun 20 2020, 3:29 PM
Ammarpad subscribed.EditedJun 20 2020, 4:13 PM
In T2212#6199332, @JohanahoJ wrote:

One message containing raw html is "MediaWiki:Mobile-frontend-editor-anonwarning". After a discussion on svwiki, I changed the wording of that message locally, i.e. on svwiki and not as a general change on Translatewiki, and while I was at it, I replaced the html with wikitext.

It's not necessary, but not bad either. You were able to edit it because you're interface admin on svwiki, and that's why you couldn't edit it on translatewiki

It turns out that message is still not possible to edit for others than interface admins. Is that expected behaviour? If so, what have I missed?

Yes, and that's why it's not necessary to change them. They are already sort of protected, since very few users can edit them.

JohanahoJ added a comment.Jun 20 2020, 4:51 PM

There are apparently some conflicting info about this, but that could of course be due to not yet updated pages. So it's correct to say that no system message can be edited locally by others than interface admins?

Ammarpad added a comment.EditedJun 20 2020, 4:56 PM
In T2212#6242065, @JohanahoJ wrote:

There are apparently some conflicting info about this, but that could of course be due to not yet updated pages. So it's correct to say that no system message can be edited locally by others than interface admins?

Not all of them. A subset of them. Like the MediaWiki:Mobile-frontend-editor-anonwarning that you mentioned, normal admins cannot edit it, but they can edit MediaWiki:Mobile-frontend-home-button because the former has extra checks that make sure only interface admins can edit it.

JohanahoJ added a comment.Jun 20 2020, 5:38 PM

So, how do I see which system messages can be edited by all admins?

DanielFriesen unsubscribed.Jun 20 2020, 7:20 PM
Ammarpad added a comment.Jun 21 2020, 6:04 AM
In T2212#6242107, @JohanahoJ wrote:

So, how do I see which system messages can be edited by all admins?

The ones not editable by normal admins are the exception rather than the rule. So you should consider all messages as editable by all admins until you encounter the few non-editable ones. There's no way to know this info from the UI, but you may know when you attempt to edit them without the required permissions.

You may however look them up in the source. The affected messages in core are listed here. Extensions append their own to the array.

JohanahoJ added a comment.Jun 21 2020, 7:42 AM

Ok, thanks!

Reedy closed subtask T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812) as Resolved.Sep 21 2020, 11:36 PM
matmarex mentioned this in T267278: XSS vulnerability in CologneBlue (CVE-2020-29002).Nov 5 2020, 6:28 PM
matmarex mentioned this in T274883: Parse warnings shown in plain wikitext with live preview.Feb 16 2021, 9:28 PM
Grunny added a subtask: T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles.Mar 20 2021, 4:03 PM
Grunny added a subtask: T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist).Mar 21 2021, 6:01 PM
Reedy closed subtask T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist) as Resolved.Mar 30 2021, 12:45 AM
Reedy closed subtask T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles as Resolved.Mar 30 2021, 12:48 AM
Aklapper mentioned this in T200997: Add raw HTML messages in WMF-deployed extensions to $wgRawHtmlMessages.Jun 6 2021, 9:44 PM
sbassett mentioned this in T286385: XSS in GlobalWatchlist (CVE-2021-42046).Jul 12 2021, 2:44 PM
Peachey88 closed subtask T85864: Special pages, actions and views whose messages don't escape text as Resolved.Oct 4 2021, 3:07 AM
Jdforrester-WMF changed the status of subtask T85864: Special pages, actions and views whose messages don't escape text from Resolved to Invalid.Oct 4 2021, 6:15 PM
sbassett mentioned this in T292795: XSS vulnerability in Special:CheckUserLog (CVE-2021-46150).Oct 13 2021, 6:26 PM
sbassett added a subtask: T297543: CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.Jan 24 2022, 9:49 PM
sbassett closed subtask T297543: CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete as Resolved.
sbassett added a subtask: T299289: Unescaped messages in WikibaseMediaInfo.Jan 24 2022, 9:56 PM
sbassett changed the status of subtask T299289: Unescaped messages in WikibaseMediaInfo from Open to In Progress.Jan 24 2022, 9:58 PM
sbassett mentioned this in T299289: Unescaped messages in WikibaseMediaInfo.
sbassett closed subtask T299289: Unescaped messages in WikibaseMediaInfo as Resolved.Mar 16 2022, 8:46 PM
Zabe subscribed.Mar 31 2022, 9:14 PM
Daimona added a subtask: T308471: CVE-2022-34911: Username is not escaped in the "welcomeuser" message.May 16 2022, 5:51 PM
Daimona added a subtask: T308473: CVE-2022-34912: Username not escaped in the contributions-title message.May 16 2022, 5:53 PM
sbassett mentioned this in T308473: CVE-2022-34912: Username not escaped in the contributions-title message.Jun 6 2022, 9:21 PM
sbassett closed subtask T308471: CVE-2022-34911: Username is not escaped in the "welcomeuser" message as Resolved.Jun 21 2022, 3:18 PM
sbassett closed subtask T308473: CVE-2022-34912: Username not escaped in the contributions-title message as Resolved.Jun 22 2022, 2:35 AM
sbassett mentioned this in T206970: Investigate using simple grep to check js for raw html messages.Mar 27 2023, 8:07 PM
Winston_Sung moved this task from Untriaged to Analysis on the I18n board.Aug 9 2023, 1:33 PM
sbassett mentioned this in T340201: Use custom language code to find i18n XSS issues.Oct 2 2023, 9:19 PM
Umherirrender added a subtask: T347746: CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message.Oct 19 2023, 4:17 PM
Umherirrender added a subtask: T347726: CVE-2023-51704: group-.*-member messages are not properly escaped on Special:log/rights.
Umherirrender added a subtask: T347744: i18n-xss vectors on Special:SecurePoll.Nov 15 2023, 8:45 PM
Pppery added a subtask: T353316: Fix security issues in youhavenewmessagesmanyusers and youhavenewmessages and make them translatable by translatewiki volunteers.Dec 13 2023, 4:07 PM
Pppery closed subtask T353316: Fix security issues in youhavenewmessagesmanyusers and youhavenewmessages and make them translatable by translatewiki volunteers as Resolved.Jan 9 2024, 4:57 AM
sbassett closed subtask T347744: i18n-xss vectors on Special:SecurePoll as Resolved.Tue, Apr 2, 10:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL