Web browser: ---
            Bug ID: 61268
           Summary: Abuse of Cite extension allows cross-invoke
           Product: MediaWiki extensions
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: Scribunto
    Classification: Unclassified
   Mobile Platform: ---

Jackmcbarn discovered that abuse of the Cite extension in combination with
mw.text.unstrip can allow for cross-invoke communication. The general idea is
that data can be set by processing a <ref> tag with an otherwise-unused group,
and then retrieved later by processing <references> for that group and parsing
the HTML.

Possible fixes:

1. Remove mw.text.unstrip. Disadvantage: This is something that was requested
relatively frequently by the community to deal with <nowiki> tags, and removing
it would likely break various modules and cause many complaints.

2. Create a blacklist or whitelist of strip tags for mw.text.unstrip, and use
it to disallow "references". Disadvantage: It's a blacklist/whitelist, that has
to be maintained somehow.

3. Adjust Cite to not include the HTML in the references strip tag, instead put
some token that gets replaced in the ParserAfterParse hook. Disadvantage:
Requires Cite to do something unusual because of Scribunto.

4. Rewrite Cite entirely like Gabriel Wicke wants (see comments on Gerrit
change 99792), so it basically reparses the whole page in one of the post-parse
hooks to handle <ref> and <references>. Disadvantage: It adds an extra pass to
the parser (if not a whole extra parser bolted on), and probably won't interact
well with other extensions.

Of these, #3 seems the least bad to me. But maybe someone else has a better

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to