2024-10-15 02:22:34
|
<Krinkle>
|
Reedy: nice idea, I'll add a structure test for content hash to discourage future changes.
|
2024-10-15 12:48:12
|
<MatmaRex>
|
i've been reviewing copyright messages for https://phabricator.wikimedia.org/T375789, and here's my favorite find so far: https://de.wiktionary.org/w/index.php?title=MediaWiki:Wikimedia-copyright&action=edit
|
2024-10-15 13:29:36
|
<Krinkle>
|
"/wiki/{{UCFIRST:{{PAGENAME}}}}" is frightening
|
2024-10-15 13:29:41
|
<Krinkle>
|
given raw HTML
|
2024-10-15 13:30:33
|
<Krinkle>
|
It helps that < is invalid in page titles, and the #if condtion asserts existence
|
2024-10-15 13:37:09
|
<tgr|away>
|
It's still just one unnoticed page creation away from a hover XSS
|
2024-10-15 13:38:04
|
<tgr|away>
|
though I guess it would only work on that weirdly named page so not very serious
|
2024-10-15 13:40:34
|
<tgr|away>
|
not sure if there is any technique these days to have JS executed on load from an injected attribute, that would have some real-world abuse potential
|
2024-10-15 13:42:54
|
<MatmaRex>
|
ugh, you're right, i didn't even think of that
|
2024-10-15 13:43:23
|
<MatmaRex>
|
i'll do something about this
|
2024-10-15 13:44:55
|
<tgr|away>
|
wow that's horrible, they use it to generate a top-of-the-page notice (moved by JS I guess?)
|
2024-10-15 13:45:37
|
<tgr|away>
|
nvm, I got confused
|
2024-10-15 13:45:47
|
<tgr|away>
|
not sure where it shows up then, though
|
2024-10-15 13:46:03
|
<tgr|away>
|
something like https://de.wiktionary.org/wiki/Gut should show a link in theory?
|
2024-10-15 13:46:39
|
<Lucas_WMDE>
|
tgr|away: yes, „Abrufstatistik“ at the very bottom
|
2024-10-15 13:46:45
|
<Lucas_WMDE>
|
between „Letzte Änderung“ and „Der Text ist unter…“
|
2024-10-15 13:47:55
|
<MatmaRex>
|
yes, the "Siehe auch" at the top comes from that message
|
2024-10-15 13:48:22
|
<MatmaRex>
|
but it's reformatted by JS, the absolute positioning styles look like they may have worked on MonoBook
|
2024-10-15 13:50:51
|
<Lucas_WMDE>
|
it looks alright to me in (non-2022) vector too
|
2024-10-15 13:50:59
|
<Lucas_WMDE>
|
but yeah in vector-2022 it’s terrible
|
2024-10-15 13:51:04
|
<MatmaRex>
|
hmm, it looks like {{PAGENAME}} actually escapes " as HTML entity, so there's probably no XSS in that code
|
2024-10-15 14:06:58
|
<tgr|away>
|
good to know, thanks for checking
|
2024-10-15 14:08:24
|
<MatmaRex>
|
(my test case was a page titled `Test" onmouseover="alert(); //`)
|
2024-10-15 14:21:29
|
<Krinkle>
|
(from tech discussion meeting) Examples of `yield` in our code bases: https://codesearch.wmcloud.org/deployed/?q=yield.*%3D%3E&files=phpunit&excludeFiles=&repos=
|
2024-10-15 14:21:36
|
<Krinkle>
|
in phpunit context, that is.
|
2024-10-15 14:22:58
|
<Lucas_WMDE>
|
`yield` is awesome for data providers 👍
|
2024-10-15 14:54:12
|
<Krinkle>
|
MatmaRex: yep, just noticed the same. The quote ends up html escaped in the attribute value. And, this doesn't break #ifeq because ParserFunctions calls decodeTrimExpand / Sanitizer::decodeCharReferences.
|
2024-10-15 14:55:04
|
<Krinkle>
|
i.e. opposite of wfEscapeWikiText
|