[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528

Bryan Tong Minh  changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution||FIXED

--- Comment #19 from Bryan Tong Minh  2010-01-23 
15:28:42 UTC ---
r61419

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching all bug changes.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #18 from Tim Starling   2010-01-17 
04:53:55 UTC ---
It's fine, you can revert me.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Bryan Tong Minh  changed:

   What|Removed |Added

 CC||tstarl...@wikimedia.org




--- Comment #17 from Bryan Tong Minh   2010-01-16 
21:49:32 UTC ---
I'm passing this through Tim before I apply it, as he changed the mimetype in
r55749.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Reedy  changed:

   What|Removed |Added

   Keywords||need-review, patch




-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #16 from Bawolff   2009-11-24 03:30:21 UTC ---
Created an attachment (id=6820)
 --> (https://bugzilla.wikimedia.org/attachment.cgi?id=6820)
make it send a mime type that more browsers recognize

This makes the type attribute on  processing
instruction, so that part is not really needed, as old mozilla will not work
regardless.)


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #15 from Bawolff   2009-11-23 23:12:21 UTC ---
Note, in addition, some browsers (older gecko based browsers) are strict about
mime type that the xslt is sent with.

Pretty please (With a cherry on top) make the xslt file be sent with a mime
type of application/xml and change the 

This would actually make this work on a wide variaty of browsers.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #14 from Alexandre Emsenhuber [IAlex]   
2009-10-02 08:41:39 UTC ---
*** Bug 20939 has been marked as a duplicate of this bug. ***


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Bawolff  changed:

   What|Removed |Added

 CC||bawolff...@gmail.com




--- Comment #13 from Bawolff   2009-09-29 01:36:31 UTC ---
Note, the parameter should add the header:


not


As text/xml is not recognized by all browsers (see [[w:XSLT]]). Internet
explorer in paticular seems to need text/xsl . 


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #12 from Tisza Gergő   2009-08-22 18:03:16 UTC ---
You could add a site-wide javascript which checks if the user is on a certain
page, gets the XML file via an AJAX query and adds the XSLT file, but having a
query parameter for it is much more straightforward, and does not require JS
code that will be downloaded by all users but never used by most.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Brion Vibber  changed:

   What|Removed |Added

 CC||br...@wikimedia.org
 Status|RESOLVED|REOPENED
 Resolution|FIXED   |




--- Comment #11 from Brion Vibber   2009-08-22 17:20:16 
UTC ---
Can't the client-side processing add in the XSLT reference itself from the
consumed XML? This seems unnecessary.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Roan Kattouw  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||FIXED




-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #10 from Bryan Tong Minh   2009-07-13 
21:38:30 UTC ---
Done in r53194 .


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Platonides  changed:

   What|Removed |Added

 CC||platoni...@gmail.com




--- Comment #9 from Platonides   2009-07-11 20:20:54 UTC 
---
There should also be an option for using its own stylesheets (eg. user Foo can
use User:Foo/skin.xls).
That would need to add that extension as user-page protected. 
At least, the parameter should contain the namespace for future compatibility
of the above use case.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Bryan Tong Minh  changed:

   What|Removed |Added

 AssignedTo|roan.katt...@gmail.com  |bryan.tongm...@gmail.com
 Status|REOPENED|NEW




--- Comment #8 from Bryan Tong Minh   2009-07-11 
19:54:50 UTC ---
Should the parameter be xslt= or xsl= ? Furthermore I believe that the
extension should be .xsl, right?


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #7 from Roan Kattouw   2009-07-11 18:28:07 
UTC ---
(In reply to comment #6)
> Created an attachment (id=6322)
 --> (https://bugzilla.wikimedia.org/attachment.cgi?id=6322) [details]
> Adds xslt parameter to format=xml
> 
> Untested patch that adds a stylesheet declaration in the form
> MediaWiki:.xslt.
> 
Patch reviewed, feel free to commit after testing.

> Possible problems:
> * Content-type: Does it matter for browsers which content type the stylesheet
> is served with?
> * Can the URL be local or is it required to be full?
> * If non-existent title or invalid title is given, fails silently. It could
> throw an error, but maybe it is better if simply the raw XML is given. 
> (Perhaps
> indicate the error in a comment?)
> 
Throwing a warning is probably best.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #6 from Bryan Tong Minh   2009-07-11 
11:28:09 UTC ---
Created an attachment (id=6322)
 --> (https://bugzilla.wikimedia.org/attachment.cgi?id=6322)
Adds xslt parameter to format=xml

Untested patch that adds a stylesheet declaration in the form
MediaWiki:.xslt.

Possible problems:
* Content-type: Does it matter for browsers which content type the stylesheet
is served with?
* Can the URL be local or is it required to be full?
* If non-existent title or invalid title is given, fails silently. It could
throw an error, but maybe it is better if simply the raw XML is given. (Perhaps
indicate the error in a comment?)


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #5 from Tisza Gergő   2009-07-11 09:13:40 UTC ---
(In reply to comment #4)
> And what if someone points to a malicious XSLT? E.g.
> api.php?action=query&xslt=http://malicious.site/steal-cookies.xslt

As I said in the summary, XSLT files should be restricted to the MediaWiki
namespace: for example, api.php?action=query&xslt=foo could be translated to
http://wiki.domain/wiki/MediaWiki:XSLT-foo.xsl";
type="text/xsl" ?>. Anyone with malicious intent and write access to the MW
namespace can already pull far worse tricks.

> Also, this is API. *Application* programming interface. It's not intended to
> format a user-readable output. I suggest WONTFIX.

And it would not format a user-readable output; it would format the exact same
output with an XSLT header added. One could argue that the application is the
browser in this case, were not arguments about the semantics of the A in API
utterly pointless. Are there any actual drawbacks in allowing administrators to
create user-readable formats of queries (with links to the relevant tools etc.)
in a template-like format instead of a procedural language (JavaScript) which
is much less convenient for this task?


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #4 from Victor Vasiliev   2009-07-11 06:18:18 
UTC ---
(In reply to comment #2)
> The processing will still be done client-side: The bug opener refers to the
>  which could
> optionally be added to the top of the XML document in order to have a direct
> transformation when viewed in the web browser.
> 

And what if someone points to a malicious XSLT? E.g.
api.php?action=query&xslt=http://malicious.site/steal-cookies.xslt

Also, this is API. *Application* programming interface. It's not intended to
format a user-readable output. I suggest WONTFIX.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528





--- Comment #3 from Tisza Gergő   2009-07-10 23:57:17 UTC ---
And it does not introduce any new XSS vulnerabilities if the XSLT file must
come from the MediaWiki namespace; those who can write it can make XSS attacks
much easier through the site-wide JS files.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Bryan Tong Minh  changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|WONTFIX |




--- Comment #2 from Bryan Tong Minh   2009-07-10 
14:34:10 UTC ---
(In reply to comment #1)
> Processing of the XML output should be done client-side, not server-side, and
> certainly not in a way that introduces XSS vulnerabilities. Closing as 
> WONTFIX.
> 
The processing will still be done client-side: The bug opener refers to the
 which could
optionally be added to the top of the XML document in order to have a direct
transformation when viewed in the web browser.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 19528] XSLT parameter to API queries

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=19528


Roan Kattouw  changed:

   What|Removed |Added

 CC||roan.katt...@gmail.com
 Status|NEW |RESOLVED
 Resolution||WONTFIX




--- Comment #1 from Roan Kattouw   2009-07-06 21:51:34 
UTC ---
Processing of the XML output should be done client-side, not server-side, and
certainly not in a way that introduces XSS vulnerabilities. Closing as WONTFIX.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.

___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l