[Bug 19291] Mechanism to find usages of raw-html messages
https://bugzilla.wikimedia.org/show_bug.cgi?id=19291 Quim Gil changed: What|Removed |Added Priority|Low |Lowest CC||dga...@wikimedia.org, ||q...@wikimedia.org --- Comment #6 from Quim Gil --- (In reply to Niklas Laxström from comment #5) > I just don't believe anyone will have time to work on this. This seems to be the case still. Setting priority to Lowest to reflect this fact. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19291] Mechanism to find usages of raw-html messages
https://bugzilla.wikimedia.org/show_bug.cgi?id=19291 --- Comment #5 from Niklas Laxström 2012-10-24 19:01:06 UTC --- Siebrand: there are ways as mentioned above. I just don't believe anyone will have time to work on this. I hope this wont come to bite us later. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19291] Mechanism to find usages of raw-html messages
https://bugzilla.wikimedia.org/show_bug.cgi?id=19291 Siebrand changed: What|Removed |Added CC||s.mazel...@xs4all.nl --- Comment #4 from Siebrand 2012-10-24 17:31:22 UTC --- Suggesting WONTFIX here, Niklas. There isn't really a way to find this out. As long as $context->msg() or wfMessage() is used, even Message::text() and Message::plain() can be escaped or parsed later on, so there's not really an indicator. During the recent updates from wfMsg* to wfMessage, many problems have been resolved (and some new ones have been introduced, overescaping accidentally), so the issue of outputting raw HTML should be smaller now, albeit not gone. >From what I can see, proper auditing on review is the only option for now (and being warned by users). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19291] Mechanism to find usages of raw-html messages
https://bugzilla.wikimedia.org/show_bug.cgi?id=19291 --- Comment #3 from Antoine "hashar" Musso 2012-10-06 06:12:46 UTC --- Not really. That is more a general MediaWiki issue and how we do not detect user input being passed directly to output without proper escaping. The PHP taint extension is exactly what we could use though it is very unlikely we will ever require such an extension as a dependency. I know of facebook/p which is an objective caml analyzer for PHP which *might* be able to detect such issues. Anyway not an easy task with the PHP language. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19291] Mechanism to find usages of raw-html messages
https://bugzilla.wikimedia.org/show_bug.cgi?id=19291 Nemo_bis changed: What|Removed |Added CC||federicol...@tiscali.it, ||has...@free.fr --- Comment #2 from Nemo_bis 2012-10-03 07:05:24 UTC --- Should this be part of the testing infrastructure? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19291] Mechanism to find usages of raw-html messages
https://bugzilla.wikimedia.org/show_bug.cgi?id=19291 Brion Vibber changed: What|Removed |Added CC||br...@wikimedia.org Blocks|209 |212 --- Comment #1 from Brion Vibber 2009-06-23 23:08:12 UTC --- Switching blocker from bug 209 to bug 212, which is more directly relevant. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l