[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T181562

ArticlePlaceholder page for Wikidata item with HTML tags in label results in MalformedTitleException
Closed, ResolvedPublic
Actions

Description

The art group “!Mediengruppe Bitnik” published a book with the lovely title “<script>!Mediengruppe Bitnik</script>”, which hilariously demonstrates an XSS vulnerability in a whole slew of book shop homepages and related websites (see their Twitter feed for some examples) – including, as the book has a Wikidata item (Q43981055), several Wikidata-related tools, e. g. on tools.wmflabs.org (some of them fixed already, some not yet as of this writing).

ArticlePlaceholder is, thankfully, not directly susceptible to XSS, but it does result in a MalformedTitleException (example). It probably shouldn’t – either it should display the actual title, or, if that’s too difficult due to MediaWiki limitations (Wikibase manages it, but afaik it does this by completely overriding the MediaWiki-provided title element, so that it can insert the entity ID), use some replacement for the forbidden characters.

This was discovered by @Sjoerddebruin.

Details

SubjectRepoBranchLines +/-
Properly catch MalformedTitleException in AboutTopicRenderermediawiki/extensions/ArticlePlaceholdermaster+21 -6
Customize query in gerrit

Related Objects

Event Timeline

Lucas_Werkmeister_WMDE created this task.Nov 28 2017, 8:29 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptNov 28 2017, 8:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Lucas_Werkmeister_WMDE renamed this task from ArticlePlaceholder page for Wikidata item with HTML tags in title results in MalformedTitleException to ArticlePlaceholder page for Wikidata item with HTML tags in label results in MalformedTitleException.Nov 28 2017, 8:29 PM
Sjoerddebruin merged a task: T187000: Special:AboutTopic fails with MalformedTitleException on Wikidata labels with "<".Feb 12 2018, 10:31 AM
Sjoerddebruin added a subscriber: Fomafix.
gerritbot subscribed.Feb 12 2018, 2:36 PM

Change 409898 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/ArticlePlaceholder@master] Properly catch MalformedTitleException in AboutTopicRenderer

https://gerrit.wikimedia.org/r/409898

gerritbot added a project: Patch-For-Review.Feb 12 2018, 2:36 PM
thiemowmde claimed this task.Feb 12 2018, 2:38 PM
thiemowmde triaged this task as Medium priority.
thiemowmde moved this task from Incoming to Review on the ArticlePlaceholder board.
thiemowmde added projects: patch-welcome, good first task.
thiemowmde added subscribers: thiemowmde, Lucie, Lydia_Pintscher.

I was able to reproduce this locally quite easily. It's an actual bug in the code. The code assumed all Wikibase entity labels are valid MediaWiki page names, but that was not always the case. I uploaded a quick fix.

Kizule moved this task from Backlog to Doing on the good first task board.May 17 2018, 4:36 PM
gerritbot added a comment.Jun 5 2018, 5:18 PM

Change 409898 merged by jenkins-bot:
[mediawiki/extensions/ArticlePlaceholder@master] Properly catch MalformedTitleException in AboutTopicRenderer

https://gerrit.wikimedia.org/r/409898

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-06-12 (1.32.0-wmf.8)).Jun 5 2018, 6:00 PM
Addshore closed this task as Resolved.Sep 18 2018, 12:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits