Page MenuHomePhabricator
Create Task
Maniphest T4309

Template parameters not substituted in HTML attributes [regression]
Closed, ResolvedPublic
Actions

Description

Author: bastique.bz

Description:
http://en.wikipedia.org/wiki/Tralee

Up until yesterday, we were able to position dots on maps using the template
field "pin_coords", which placed a "left: #; top: #" code into the DIV tag
for the tiny town graphic. Suddenly, on 6/3/05, this field no longer works.

We have already positioned quite a few towns using this now-disabled feature.
This feature also reduces the number of graphics; 2 for all towns in a single
county rather than one for each one. This ability should be restored.

Version: 1.4.x
Severity: normal
URL: http://en.wikipedia.org/wiki/Template:Ie_citytown_infobox

Details

Reference
bz2309

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 21 2014, 8:35 PM
bzimport added a project: MediaWiki-Templates.
bzimport set Reference to bz2309.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jun 3 2005, 3:16 PM
bzimport added a comment.Jun 3 2005, 3:17 PM

bastique.bz wrote:

Example: http://en.wikipedia.org/wiki/Castlebar

brion added a comment.Jun 4 2005, 12:31 AM

This is caused by the fix to bug 2304, which is a major security vulnerability.

Allowing validated plaintext template/parameter substitutions in HTML attribute values with our
current parser architecture is theoretically possible, but will take some work to ensure that it
remains safe.

brion added a comment.Jun 4 2005, 11:23 PM

Also broken by this:
http://en.wikipedia.org/wiki/Template:Ref
http://en.wikipedia.org/wiki/Template:Note

I've done some work on this bug but need to check it over a bit to make sure I haven't reintroduced a vulnerability,
particularly on the 1.4 backport (where the HTML attribute validation code is pretty crappy). Will try to finish it up
tonight.

bzimport added a comment.Jun 6 2005, 1:43 AM

lowzl wrote:

I recently upgraded my MediaWiki installation to 1.4.5 - we've experienced this
problem on precisely one template at the moment. I suppose it is because no one
has edited the other ones using this technique yet.

Curiously, {{subst:xyz}} works, but {{xyz}} uses the inclusion guard.

brion added a comment.Jun 6 2005, 1:46 AM

Fix applied to CVS HEAD. Still working on REL1_4.

brion added a comment.Jun 6 2005, 4:59 AM

Fix applied to REL1_4 as well (Parser.php).

bzimport added a comment.Jun 8 2005, 3:13 PM

lowzl wrote:

Is there a specific patch we can apply now, or will there be a new release of
1.4 soon?

brion added a comment.Jun 8 2005, 11:45 PM

I can't release a 1.4.6 just now as there's an issue with upgrades and an unnecessary
but performance-enhancing index.

Here's the change for REL1_4:
http://cvs.sourceforge.net/viewcvs.py/wikipedia/phase3/includes/Parser.php?
r1=1.357.2.49&r2=1.357.2.50&diff_format=u

bzimport added a comment.Jul 7 2005, 9:21 PM

zigger wrote:

*** Bug 2743 has been marked as a duplicate of this bug. ***

bzimport added a comment.Jul 7 2005, 9:31 PM

zigger wrote:

1.4.6 has been released.
Release notes: https://sourceforge.net/project/shownotes.php?release_id=340290
Downloads: https://sourceforge.net/project/showfiles.php?group_id=34373

Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL