| Tgr created this task. Tgr added projects: Reading-Infrastructure-Team-Backlog, Security-Extensions, MediaWiki-extensions-WikibaseClient, Security. Herald added a subscriber: Aklapper. Herald added a project: Wikidata. |
Page descriptions coming from Wikidata (whether via the "description" property of the linked Wikibase repo item or a {{SHORTDESC:}} magic word in the local page) can contain raw HTML such as script tags. This is not a bug - the description is plain text, and plain text can happen to be <script> or such. But it's probably easy for clients to miss, and might lead to vulnerabilities if they display the description without encoding in a HTML context. (Of course, if you insert unencoded strings into HTML carelessly, that generally leads to vulnerabilities, but MediaWiki mostly protects clients from that - e.g. page titles or usernames can't have dangerous content, and content HTML itself is of course sanitized).
I would appreciate some guidance from the Security team on how to handle data like that. Is this fine and the responsibility is all on the client's side to handle it safely? Should we encode it and inconvenience non-HTML clients? Should we do some kind of sanitization? Should we keep track of such fields somewhere / warn about them in some specific way?
Cc: Aklapper, Tgr, Lahi, Gq86, GoranSMilovanovic, QZanden, HJiang-WMF, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, GWicke, Bawolff, Stype_and_Co.-WMF, Jalexander, Parent5446, Anomie, Grunny, Jdforrester-WMF, MaxSem, csteipp, Mbch331, Jay8g, Legoktm
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
