Fork me on GitHub

Wikimedia IRC logs browser - #mediawiki-core

Filter:
Start date
End date

Displaying 28 items:

2024-10-15 02:22:34 <Krinkle> Reedy: nice idea, I'll add a structure test for content hash to discourage future changes.
2024-10-15 12:48:12 <MatmaRex> i've been reviewing copyright messages for https://phabricator.wikimedia.org/T375789, and here's my favorite find so far: https://de.wiktionary.org/w/index.php?title=MediaWiki:Wikimedia-copyright&action=edit
2024-10-15 13:29:36 <Krinkle> "/wiki/{{UCFIRST:{{PAGENAME}}}}" is frightening
2024-10-15 13:29:41 <Krinkle> given raw HTML
2024-10-15 13:30:33 <Krinkle> It helps that < is invalid in page titles, and the #if condtion asserts existence
2024-10-15 13:37:09 <tgr|away> It's still just one unnoticed page creation away from a hover XSS
2024-10-15 13:38:04 <tgr|away> though I guess it would only work on that weirdly named page so not very serious
2024-10-15 13:40:34 <tgr|away> not sure if there is any technique these days to have JS executed on load from an injected attribute, that would have some real-world abuse potential
2024-10-15 13:42:54 <MatmaRex> ugh, you're right, i didn't even think of that
2024-10-15 13:43:23 <MatmaRex> i'll do something about this
2024-10-15 13:44:55 <tgr|away> wow that's horrible, they use it to generate a top-of-the-page notice (moved by JS I guess?)
2024-10-15 13:45:37 <tgr|away> nvm, I got confused
2024-10-15 13:45:47 <tgr|away> not sure where it shows up then, though
2024-10-15 13:46:03 <tgr|away> something like https://de.wiktionary.org/wiki/Gut should show a link in theory?
2024-10-15 13:46:39 <Lucas_WMDE> tgr|away: yes, „Abrufstatistik“ at the very bottom
2024-10-15 13:46:45 <Lucas_WMDE> between „Letzte Änderung“ and „Der Text ist unter…“
2024-10-15 13:47:55 <MatmaRex> yes, the "Siehe auch" at the top comes from that message
2024-10-15 13:48:22 <MatmaRex> but it's reformatted by JS, the absolute positioning styles look like they may have worked on MonoBook
2024-10-15 13:50:51 <Lucas_WMDE> it looks alright to me in (non-2022) vector too
2024-10-15 13:50:59 <Lucas_WMDE> but yeah in vector-2022 it’s terrible
2024-10-15 13:51:04 <MatmaRex> hmm, it looks like {{PAGENAME}} actually escapes " as HTML entity, so there's probably no XSS in that code
2024-10-15 14:06:58 <tgr|away> good to know, thanks for checking
2024-10-15 14:08:24 <MatmaRex> (my test case was a page titled `Test" onmouseover="alert(); //`)
2024-10-15 14:21:29 <Krinkle> (from tech discussion meeting) Examples of `yield` in our code bases: https://codesearch.wmcloud.org/deployed/?q=yield.*%3D%3E&files=phpunit&excludeFiles=&repos=
2024-10-15 14:21:36 <Krinkle> in phpunit context, that is.
2024-10-15 14:22:58 <Lucas_WMDE> `yield` is awesome for data providers 👍
2024-10-15 14:54:12 <Krinkle> MatmaRex: yep, just noticed the same. The quote ends up html escaped in the attribute value. And, this doesn't break #ifeq because ParserFunctions calls decodeTrimExpand / Sanitizer::decodeCharReferences.
2024-10-15 14:55:04 <Krinkle> i.e. opposite of wfEscapeWikiText

This page is generated from SQL logs, you can also download static txt files from here