On 05/19/2014 09:52 AM, Daniel Kinzler wrote: > Am 18.05.2014 16:29, schrieb Gabriel Wicke: >> The difference between wrapper and property is actually that using inline >> wrappers in the returned wikitext would force us to escape similar wrappers >> from normal template content to avoid opening a gaping XSS hole. > > Please explain, I do not see the hole you mention. > > If the input contained <html>evil stuff</html>, it would just get escaped by > the > preprocessor (unless $wgRawHtml is enabled), as it is now: > https://de.wikipedia.org/w/api.php?action=expandtemplates&text=%3Chtml%3E%3Cscript%3Ealert%28%27evil%27%29%3C/script%3E%3C/html%3E
What you see there is just unescaped HTML embedded in the XML result format. It's clearer that there's in fact no escaping on the HTML when looking at the JSON: https://de.wikipedia.org/w/api.php?action=expandtemplates&text=%3Chtml%3E%3Cscript%3Ealert%28%27evil%27%29%3C/script%3E%3C/html%3E&format=json Parsoid depends on there being no escaping for unknown tags (and known extension tags) in the preprocessor. So if you use tags, you'll have to add escaping for those. The move to HTML-based (self-contained) transclusions expansions will avoid this issue completely. That's a few months out though. Maybe we can find a stop-gap solution that moves in that direction, without introducing special tags in expandtemplates that we'll have to support for a long time. Gabriel _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
