[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T303735

SecurePoll improperly lists users with usernames starting with an asterix
Closed, ResolvedPublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

  • Vote in a securepoll while having a username that starts with *

What happens?:

  • The * is interpreted as a formatting character when listing voters (See screen shot below)

What should have happened instead?:

  • The username should be presented literally

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:
Example user: https://meta.wikimedia.org/wiki/User:*Youngjin

Live "list voters" https://vote.wikimedia.org/wiki/Special:SecurePoll/list/1341

image.png (100×919 px, 2 KB)

Details

SubjectRepoBranchLines +/-
ListPager: Introduce an escaped param for voter name messagemediawiki/extensions/SecurePollmaster+2 -2
Customize query in gerrit

Event Timeline

Xaosflux created this task.Mar 14 2022, 3:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2022, 3:05 PM
Reedy renamed this task from Securepoll improperly lists users with usernames starting with an asterix to SecurePoll improperly lists users with usernames starting with an asterix .Mar 14 2022, 3:48 PM
Reedy updated the task description. (Show Details)
Reedy subscribed.Mar 14 2022, 3:54 PM

The whole row is (with a hidden ::marker)

<tr>
<td class="TablePager_col_vote_id">7 March 2022</td>
<td class="TablePager_col_vote_voter_name"><ul><li>Youngjin</li></ul></td>
<td class="TablePager_col_vote_voter_domain">ko.wikipedia.org</td>
</tr>

And I'm guessing it's due to the parse() in ListPager.php

			case 'vote_voter_name':
				$msg = $voter->isRemote(
				) ? 'securepoll-voter-name-remote' : 'securepoll-voter-name-local';

				return $this->msg(
					$msg,
					[ $value ]
				)->parse();

Messages being used

	"securepoll-voter-name-local": "[[User:$1|$1]]",
	"securepoll-voter-name-remote": "$1",
Reedy added a comment.EditedMar 14 2022, 3:57 PM
> var_dump( wfMessage( 'securepoll-voter-name-local', [ '*Youngjin' ] )->parse() );
string(144) "<a href="/w/index.php?title=User:*Youngjin&amp;action=edit&amp;redlink=1" class="new" title="User:*Youngjin (page does not exist)">*Youngjin</a>"
> var_dump( wfMessage( 'securepoll-voter-name-remote', [ '*Youngjin' ] )->parse() );
string(26) "<ul><li>Youngjin</li></ul>"
Base subscribed.Mar 14 2022, 5:11 PM
MZMcBride subscribed.Mar 14 2022, 9:19 PM
AntiCompositeNumber subscribed.Mar 18 2022, 2:31 AM

The simple solution would be to change securepoll-voter-name-remote from $1 to <nowiki>$1</nowiki>. Or we could change it to a CentralAuth link (unless we run elections from private/fishbowl wikis?). securepoll-voter-name-local should be fine because the username's in a link already.

gerritbot added a comment.Mar 27 2022, 6:24 AM

Change 773989 had a related patch set uploaded (by Func; author: Func):

[mediawiki/extensions/SecurePoll@master] ListPager: Use plaintextParams() for user name

https://gerrit.wikimedia.org/r/773989

gerritbot added a project: Patch-For-Review.Mar 27 2022, 6:24 AM
gerritbot added a comment.Mar 31 2022, 11:31 AM

Change 773989 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] ListPager: Introduce an escaped param for voter name message

https://gerrit.wikimedia.org/r/773989

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.6; 2022-04-04).Mar 31 2022, 12:00 PM
matmarex closed this task as Resolved.Mar 31 2022, 12:02 PM
matmarex assigned this task to Func.
Maintenance_bot removed a project: Patch-For-Review.Mar 31 2022, 12:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits