[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
WMDE-leszek added a comment. Hi @Bawolff, it's me again. With https://gerrit.wikimedia.org/r/418715 would you be able to claim the security review was done?TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Bawolff, WMDE-leszekCc: Jakob_WMDE, Jonas, gerritbot, Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Versusxo, Majesticalreaper22, Ahmed123, Tamgue, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Lordiis, Cinemantique, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, LawExplorer, Lewizho99, Maathavan, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
gerritbot added a comment. Change 418715 merged by jenkins-bot: [mediawiki/extensions/WikibaseLexeme@master] Escape HTML in comma-separator message in FormsView https://gerrit.wikimedia.org/r/418715TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Bawolff, gerritbotCc: Jakob_WMDE, Jonas, gerritbot, Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Lordiis, Cinemantique, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, LawExplorer, Lewizho99, Maathavan, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
gerritbot added a comment. Change 418715 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)): [mediawiki/extensions/WikibaseLexeme@master] Escape HTML in comma-separator message in FormsView https://gerrit.wikimedia.org/r/418715TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Bawolff, gerritbotCc: Jakob_WMDE, Jonas, gerritbot, Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Lordiis, Cinemantique, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, LawExplorer, Lewizho99, Maathavan, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
Bawolff added a comment. re: FormIdFormatter and SenseIdFormatter - I thought they might later be extended to a real implementation, which is why I was concerned, but as long as its just a dummy implementation that's eventually going away, that's all cool. re: click-jacking: Yeah, it really is a wikidata issue. It does not block deployment of wikibaselexeme. As long as someone intends to look into the issue, I'm happy. comma-separator is a message from core, and intentionally contains HTML (but no wiki syntax). As far as I can see we are using it correctly. Yes, we are aware messages with HTML are problematic, and we avoid it whenever possible. In MediaWiki core, that message is always used as wfMessage( 'comma-separator' )->escaped(); WikibaseLexeme should similarly escape it. (In mediawiki core, the wfMessage()->escaped() format does not double encode entities, so stays as after escaping). So I'd still like to see the comma-separator thing changed (which is very a minor issue), but otherwise this looks good and is good to go.TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: BawolffCc: Jakob_WMDE, Jonas, gerritbot, Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Lordiis, Cinemantique, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, LawExplorer, Lewizho99, Maathavan, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
WMDE-leszek added a comment. Thanks a lot @Bawolff for the review. We believe we've addressed all the issues pointed out, as elaborated above by @thiemowmde. Could you please have another look whether we're good now? As mentioned above, some of the issues were not "fixed". If you think those still need to be addressed, please say so (e.g. if you are convinced this is the time Wikibase in general should solve the click-jacking issue). We would appreciate any other remedy suggestion wherever you have one!TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Bawolff, WMDE-leszekCc: Jakob_WMDE, Jonas, gerritbot, Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Lordiis, Cinemantique, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, LawExplorer, Lewizho99, Maathavan, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
gerritbot added a comment. Change 416406 merged by jenkins-bot: [mediawiki/extensions/WikibaseLexeme@master] Add missing htmlspecialchars() to SensesView https://gerrit.wikimedia.org/r/416406TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Bawolff, gerritbotCc: gerritbot, Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Lordiis, Cinemantique, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, LawExplorer, Lewizho99, Maathavan, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
gerritbot added a comment. Change 416406 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)): [mediawiki/extensions/WikibaseLexeme@master] Add missing htmlspecialchars() to SensesView https://gerrit.wikimedia.org/r/416406TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Bawolff, gerritbotCc: gerritbot, Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T186726: Security review WikibaseLexeme extension
thiemowmde added a comment. I added the WIP originally. The only open dependency is a separate security review of https://github.com/wmde/php-vuejs-templating, which needs a separate #security-reviews ticket. Everything else is resolved, so this is ready to go from my point of view. :-)TASK DETAILhttps://phabricator.wikimedia.org/T186726EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Bawolff, thiemowmdeCc: Aklapper, Lucas_Werkmeister_WMDE, Ladsgroup, thiemowmde, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
