| Lucas_Werkmeister_WMDE created this task. Lucas_Werkmeister_WMDE added a project: ArticlePlaceholder. Herald added a subscriber: Aklapper. Herald added a project: Wikidata. |
The art group “!Mediengruppe Bitnik” published a book with the lovely title “<script>!Mediengruppe Bitnik</script>”, which hilariously demonstrates an XSS vulnerability in a whole slew of book shop homepages and related websites (see their Twitter feed for some examples) – including, as the book has a Wikidata item (Q43981055), several Wikidata-related tools, e. g. on tools.wmflabs.org (some of them fixed already, some not yet as of this writing).
ArticlePlaceholder is, thankfully, not directly susceptible to XSS, but it does result in a MalformedTitleException (example). It probably shouldn’t – either it should display the actual title, or, if that’s too difficult due to MediaWiki limitations (Wikibase manages it, but afaik it does this by completely overriding the MediaWiki-provided title element, so that it can insert the entity ID), use some replacement for the forbidden characters.
This was discovered by @Sjoerddebruin.
Cc: Lucas_Werkmeister_WMDE, Sjoerddebruin, Aklapper, Lahi, Gq86, GoranSMilovanovic, QZanden, cmadeo, Wikidata-bugs, aude, jayvdb, Ricordisamoa, Mbch331
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
