[Bug 69893] New: MMV: Page is completely blacked out when accessing an invalid file name

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=69893

            Bug ID: 69893
           Summary: MMV: Page is completely blacked out when accessing an
                    invalid file name
           Product: MediaWiki extensions
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: Unprioritized
         Component: MultimediaViewer
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: krinklem...@gmail.com
                CC: aarcos.w...@gmail.com, fflo...@wikimedia.org,
                    gti...@wikimedia.org, mtrac...@member.fsf.org
       Web browser: ---
   Mobile Platform: ---

Urls like,

 https://en.wikipedia.org/wiki/Mike_Godwin#mediaviewer/File:T<ess.pdf

Result in a completely black page with discoverable way to get out and no
commmunication as to what happened.

The console shows:

Uncaught Error: Unable to parse title VM299:35
 Title VM299:35
 RP.parseHash
 RP.parseLocation VM320:90
 MMVP.hash VM320:103
 deferred
 MMVB.isCSSReady

Presumably there is an instance of `new mw.Title` where it should use
mw.Title.newFromText with a condition check to verify the title was not
invalid. It is user input after all, and even if it would try to match the DOM
element first, the DOM can also contain arbitrary elements that are made to
look like mediawiki image frames, and in addition, title validation rules can
change over time, and in addition, the js class is only an approximation to the
sever-side variant. There's always a risk of it being looser or stricter, so
always validate titles (unless maybe they come from the API or an mw.config
value directly).

The page being completely black is more common actually, since it's the
standard thing that happens if there's an uncaught exception anywhere. Looks
like maybe the UI and logic aren't separated properly that it causes the UI to
get stuck half-way when it's doing what looks like simple logic. It should
probably set up more of the UI at once (e.g. don't put up a black dimmer
without also, in the same atomic dom change, provide a way to get out of it).

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l