https://bugzilla.wikimedia.org/show_bug.cgi?id=68932
Matthew Flaschen <mflasc...@wikimedia.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mflasc...@wikimedia.org
--- Comment #9 from Matthew Flaschen <mflasc...@wikimedia.org> ---
(In reply to Erik Bernhardson from comment #7)
> I can confirm that just defining the categoryTreeLoadChildren allows
> everything to succeed, it seems we need to catch and ignore any errors
> caused by inserting user content. I took a look over the related code, but
> not sure how to accomplish this.
We shouldn't be running this JS at all. User wikitext content should obviously
not have JavaScript (and does not, unless we have a critical XSS), and neither
should well-written extensions (they have JS, but not inline JS in rendered
user content).
If we're not running the JavaScript, we thus don't need to catch exceptions.
For CategoryTree itself, it should not be an issue going forward. The call to
categoryTreeLoadChildren was removed in
daf3e2d9f1ae0fe0a085079d56ab535edcf27fae (Brian Wolff removed
wgCategoryTreeDynamicTag, since it was broken).
I am also removing a little unreachable code that (if reachable) would have
called another function (categoryTreeExpandNode):
https://gerrit.wikimedia.org/r/#/c/170288/ (pending review)
categoryTreeLoadChildren now appears nowhere in the extension. However,
existing posts would need to be re-converted from wikitext (however Parsoid
normally does this, purging?) if they still have the old call in their
rendering.
But since we may or may not want to do that purge (and it wouldn't fix future
extensions that tried the same thing), I suggest we strip JavaScript as a
general rule. This can be done in our Parsoid/Fixer stage.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
