Page MenuHomePhabricator
Create Task
Maniphest T63268

Abuse of Cite extension allows cross-invoke communication
Closed, ResolvedPublic
Actions

Description

Jackmcbarn discovered that abuse of the Cite extension in combination with mw.text.unstrip can allow for cross-invoke communication. The general idea is that data can be set by processing a <ref> tag with an otherwise-unused group, and then retrieved later by processing <references> for that group and parsing the HTML.

Possible fixes:

  1. Remove mw.text.unstrip. Disadvantage: This is something that was requested relatively frequently by the community to deal with <nowiki> tags, and removing it would likely break various modules and cause many complaints.
  1. Create a blacklist or whitelist of strip tags for mw.text.unstrip, and use it to disallow "references". Disadvantage: It's a blacklist/whitelist, that has to be maintained somehow.
  1. Adjust Cite to not include the HTML in the references strip tag, instead put some token that gets replaced in the ParserAfterParse hook. Disadvantage: Requires Cite to do something unusual because of Scribunto.
  1. Rewrite Cite entirely like Gabriel Wicke wants (see comments on Gerrit change 99792), so it basically reparses the whole page in one of the post-parse hooks to handle <ref> and <references>. Disadvantage: It adds an extra pass to the parser (if not a whole extra parser bolted on), and probably won't interact well with other extensions.

Of these, #3 seems the least bad to me. But maybe someone else has a better idea.

Version: master
Severity: normal

Details

Reference
bz61268

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:04 AM
bzimport added a project: Cite.
bzimport set Reference to bz61268.
bzimport added a subscriber: Unknown Object (MLST).
Anomie created this task.Feb 12 2014, 3:55 PM
Technical13 added a comment.Feb 12 2014, 4:48 PM

If I had to order your possible fixes from least bad to worst, I would order them as 2 -> 3 -> 4 -> 1. I can't see any (black|white)list from needing a lot of maintaining, so it is likely the best of the options presented. 1 is obviously the worst as it has the potential of breaking lots of modules dependent on it.

Jackmcbarn added a comment.Feb 12 2014, 7:34 PM

Here's my thoughts on the ways to fix it:

  1. I personally am not opposed to this, but I know others are and it would lead to drama. Maybe as a compromise, nowiki could be unstripped while leaving other things alone (we already have code to do this).
  2. Seems like a terrible hack. I'm totally against this.

3, 4. I'm equally okay with either of these, with an exception (see below).

Overall opinion: 4 = 3 > 1 > 2

The other thing to note is that I found this bug while investigating bug #61248, and I think that method 3 or 4 could potentially solve both of these at once (and there's a chance one of them could solve bug #25417, in which case I'd definitely prefer that one, killing 3 birds with one stone).

Jackmcbarn added a comment.Feb 13 2014, 3:16 AM

Note that with Parsoid's implementation of Cite, neither this bug nor either of the others I linked above occur.

gerritbot added a comment.Nov 5 2014, 5:44 PM

Change 171290 had a related patch set uploaded by Anomie:
Add mw.text.unstripNoWiki, mw.text.killMarkers, fix mw.text.unstrip

https://gerrit.wikimedia.org/r/171290

gerritbot added a comment.Dec 1 2014, 9:42 PM

Change 171290 merged by jenkins-bot:
Add mw.text.unstripNoWiki, mw.text.killMarkers, fix mw.text.unstrip

https://gerrit.wikimedia.org/r/171290

Anomie closed this task as Resolved.Dec 1 2014, 10:04 PM
Anomie claimed this task.

This should be deployed to WMF wikis with 1.25wmf11, see https://www.mediawiki.org/wiki/MediaWiki_1.25/Roadmap for the schedule.

mxn mentioned this in T76844: Deploy DynamicPageListEngine extension to Vietnamese Wiktionary.Dec 5 2014, 9:40 AM
Rillke mentioned this in T78171: Make a subset of API query modules available to the Lua scripting environment.Dec 10 2014, 6:06 PM
RandomDSdevel awarded a token.Dec 15 2014, 11:18 PM
Majr mentioned this in T88964: Arbitrary HTML output possible.Feb 9 2015, 9:27 AM
Rical subscribed.Feb 27 2015, 10:25 PM
Anomie mentioned this in T133543: Epic: allow scribunto Lua modules to accept input as parsoid DOM instead of classic parser internal structures.Apr 26 2016, 2:25 PM
Rical unsubscribed.Jul 21 2017, 9:42 AM
Anomie mentioned this in T201171: Create a Scribunto interface for the Variables extension.Aug 15 2018, 6:15 PM
Anomie mentioned this in T138229: math ml rendering changes and scribunto.Dec 7 2018, 3:43 PM
Anomie mentioned this in T238192: add tag parameter(s) to mw.text.unstrip().Nov 13 2019, 5:14 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:41 PM
Restricted Application added a subscriber: jeblad. · View Herald TranscriptOct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL