[Bug 34714] New: Templates used in edit summaries are expanded in e-mail notifications

Sat, 25 Feb 2012 12:19:00 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=34714

       Web browser: ---
             Bug #: 34714
           Summary: Templates used in edit summaries are expanded in
                    e-mail notifications
           Product: MediaWiki
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: Email
        AssignedTo: wikibugs-l@lists.wikimedia.org
        ReportedBy: b...@mzmcbride.com
    Classification: Unclassified
   Mobile Platform: ---


If a user causes a e-mail notification (by editing another user's talk page,
for example) and the edit summary used contains a template ("{{foo}}", for
example), the template will be expanded in the notification e-mail.

A snippet from a recent e-mail notification from the English Wikipedia where
the edit summary originally contained "{{User page}} (get rid of it if you
want). Consider it to be a suggestion.":

---
The Wikipedia page "User talk:MZMcBride" has been changed on
25 February 2012 by 7&6=thirteen, with the edit summary: <table
class="plainlinks ombox  
ombox-notice " style="margin-left: 0; margin-right: 0; border:1px solid
#ffc9c9; background-color: #fffff3;">
<tr>
<td class="mbox-empty-cell"></td>
<td class="mbox-text" style="font-size: 85%; text-align: center">
---

I played around with
https://test.wikipedia.org/wiki/Template:ENotif_expansion_test to see if you
could fool an e-mail client into using the wrong subject line. It seems my
e-mail client (Microsoft Entourage) is smart enough to not be fooled, at least.

Between the unsanitized HTML and the ability to insert header lookalikes, this
feels very dirty. I haven't yet been able to exploit this template expansion
with my e-mail client, but I'm not so sure I trust other e-mail clients (cf.
bug 25231) to behave reasonably.

There's no real point in the template expansion of the edit summaries, as far
as I can tell. I think it should be removed, though this may upset people if
they've been relying on the behavior as a hack of some kind.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to