https://bugzilla.wikimedia.org/show_bug.cgi?id=40124
--- Comment #7 from Bartosz Dziewoński <[email protected]> 2012-12-01 18:13:13 UTC --- I talked to Chris Steipp on IRC. Summary of our discussion (posted with permission): Bartosz Dziewoński: Your action=options API security/validation patch, I98df55f2, also removed the ability to set arbitrary options - is this just collateral damage from fixing the security bug, or should this be considered binding? Chris Steipp: I think that's something that needs to be determined by the dev community. We needed to fix setting arbitrary content, but if arbitrary options that don't cause an xss are wanted, then we can allow those. Bartosz Dziewoński: I already managed to write a gadget on pl.wikipedia that used this to manage settings of other gadgets, as a fallback to cookies - https://pl.wikipedia.org/wiki/MediaWiki:Gadget-gConfig.js (it also has a .css file). Chris Steipp: Cool. So if your option names and values are alphanumeric, then it shouldn't be a problem to support them. If they're failing, then that should be a bug we fix. The issue comes in if you want users to set HTML into the values, which it looks like might be the case? The string values look like they would accept HTML in your gadget (from my quick readthrough). Bartosz Dziewoński: Yes, they accept anything, but, well, to me it's obvious that you should escape any values before using them. Currently only two gadgets use this manager: one doesn't use the string options at all, only boolean ones; the other uses a string option, but places the value into document.title, so, in this case, HTML-escaping the value could actually break the display, unless the gadget unescapes it again. The gadgets are: * gadget A, used to fix disambiguation links, uses boolean options only: https://pl.wikipedia.org/wiki/MediaWiki:Gadget-disFixer.js * gadget B, hides the orange new message bar and turns it into a small icon used instead of the "My talk" link, has an option to add a user-defined string to the beginning of document.title: https://pl.wikipedia.org/wiki/MediaWiki:Gadget-GolabPocztowy.js (The code for those two gadgets is not pretty, but the first one I wrote back in 2009 when I was young and stupid, and it received little cleanup since then ("if it ain't broke, don't fix it"), and the other was written primarily by a non-coder. They both work perfectly well, though, and are used by many wikipedians.) Chris Steipp: Unfortunately, not everyone thought it was obvious :) Basically, if everyone in the community agrees these strings can contain HTML, and everyone needs to escape them before using, then everyone can work under that assumption. If not, then we'll probably need to work out how to escape them when they're stored, and then when you want to store HTML, we'll have to escape / unescape it. Bartosz Dziewoński: We don't know in what format they are going to be output, so how can we escape them? With URL-encoding, SQL-escaping, HTML-escaping? Or, well, CSS-escaping, in this case? You might be right, though, that it might make sense. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
