[22:53:53] <Dylsss>	 wtf https://phabricator.wikimedia.org/T269130 how did we we close as invalid and make public a security vulnerability for 10 months before being fixed
[22:54:07] <Dylsss>	 in https://phabricator.wikimedia.org/T293556
[22:54:37] <Dylsss>	 that is a massive failure IMHO
[23:31:35] <merryprog>	 I might be missing something, but I'm not seeing the connection between the two tickets besides the former using the same prefix as the latter (the ">)
[23:32:28] <merryprog>	 Reedy's last comment on the former ticket sums it up nicely
[23:32:41] <Dylsss>	 The captions are plaintext, they aren't parsed as wikitext. So clearly there was HTML injection.
[23:33:47] <Dylsss>	 "Digging a bit more, it looks like this has been around for 3 years or so with Ibf6053abb."
[23:33:55] <AntiComposite>	 yup, same component, same exploit
[23:34:05] <Dylsss>	 ^^
[23:34:22] <merryprog>	 oop yeah you're right, I was looking at the file description bit
[23:34:34] <merryprog>	 which would allow wikitext
[23:38:27] <AntiComposite>	 I'm wondering if it was something silly like Reedy not clicking the "more languages" button on the page
[23:38:54] * merryprog clicks "less languages"
[23:42:58] <AntiComposite>	 because the one that the reporter said worked was in the ang-language caption
[23:44:19] <AntiComposite>	 and User:Reedy_(WMF) has a babel box, so it would only show en by default
[23:49:01] <AntiComposite>	 unfortunately time-travelling mind-reading abilities aren't in the Commons admin toolset
[23:51:02] <merryprog>	 ... yet (T297071)