Difference between revisions of "MediaWiki"

From Nick Jenkins
Jump to: navigation, search
m (last two not currently available.)
m (Reverted edits by SaraLee (talk) to last revision by Nickj)
 
(118 intermediate revisions by 54 users not shown)
Line 1: Line 1:
Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps source code is available], although the [http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/maintenance/wiki-mangleme.php version now in the MediaWiki trunk] is probably more current.
+
Hello visitor! If you found this page, then you probably wanted something else. Here are links to what you're probably looking for:
 +
* Do you want information about a specific MediaWiki extension? Try [http://www.mediawiki.org/wiki/Extension_Matrix the table here] or [http://www.mediawiki.org/w/index.php?title=Category:All_extensions the multi-page list here], to help find the homepage for that extension.
 +
* Do you want information about MediaWiki itself? Try [http://www.mediawiki.org/ the website] for documentation, the [http://www.mediawiki.org/wiki/MediaWiki_on_IRC IRC channel] for quick questions, [http://www.mediawiki.org/wiki/Mailing_lists a mailing list] for more detailed questions, or the [http://en.wikipedia.org/wiki/MediaWiki MediaWiki Wikipedia article] for a timeline of past releases.
 +
* Do you want to hire MediaWiki developers or consultants? See [http://wikihr.net/MediaWiki the WikiHR site].
  
* [[:MediaZilla:5066|MediaWiki bug report]].
+
Now back to your regularly scheduled programming....
 +
------
  
 +
Various MediaWiki 1.7.1 and extension parser tests, that fail HTML validation <s>and/or have potential security issues</s>. There is a [[:MediaZilla:5066|MediaWiki bug report]] covering this. Some were found by hand, but most of these were found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps original source code is available], although the [http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/maintenance/fuzz-tester.php version now in the MediaWiki trunk] is much more current. Lastly, all the MediaWiki tests listed below are released into the public domain, and as such you're welcome to incorporate them into any software you like, under any license you like.
  
 +
== Security items ==
  
 +
<b>None that I am currently aware of.</b>
 +
<!--
 
{| border="1"
 
{| border="1"
 
! Test
 
! Test
Line 11: Line 19:
 
! Tidy HTML
 
! Tidy HTML
 
! [[#Definition of Security Aspects|Security<br>aspects?]]
 
! [[#Definition of Security Aspects|Security<br>aspects?]]
 +
! Fixed in
 +
! Visible<br>Artefacts?
 +
! Notes and any extra info.
 +
|}
 +
-->
 +
 +
== HTML Validation or PHP errors or SQL errors ==
 +
 +
Things that cause one or more of the following:
 +
* Visual artefacts
 +
* PHP errors
 +
* SQL errors
 +
* Tidy errors (not just warnings)
 +
... have been marked with grey to indicate that they may be of higher impact than the other items:
 +
 +
{| border="1"
 +
! Test
 +
! Wiki Source
 +
! Validate HTML
 +
! Tidy HTML
 +
! [[#Definition of Security Aspects|Security<br>aspects?]]
 +
! Fixed in
 
! Visible<br>Artefacts?
 
! Visible<br>Artefacts?
 
! Notes and any extra info.
 
! Notes and any extra info.
Line 19: Line 49:
 
| {{tidy-html|page=MediaWiki/Parser1}}
 
| {{tidy-html|page=MediaWiki/Parser1}}
 
| No
 
| No
| Yes
+
|
 +
| bgcolor=grey | Yes
 
| Stikes out almost all text. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-February/034012.html Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5].
 
| Stikes out almost all text. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-February/034012.html Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5].
 
|-
 
|-
Line 27: Line 58:
 
| {{tidy-html|page=MediaWiki/Parser1-hidden}}
 
| {{tidy-html|page=MediaWiki/Parser1-hidden}}
 
| No
 
| No
| Yes
+
|
 +
| bgcolor=grey | Yes
 
| Hides almost all text, which also makes all page links unavailable.
 
| Hides almost all text, which also makes all page links unavailable.
|-
 
| [[MediaWiki/Parser2]]
 
| [[Special:Export/MediaWiki/Parser2|Export Wiki Source]]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser2 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser2}}
 
| No
 
| No
 
 
|-
 
|-
 
| [[MediaWiki/Parser3]]
 
| [[MediaWiki/Parser3]]
Line 42: Line 67:
 
| {{tidy-html|page=MediaWiki/Parser3}}
 
| {{tidy-html|page=MediaWiki/Parser3}}
 
| No
 
| No
 +
|
 
| No
 
| No
 
|-
 
|-
Line 49: Line 75:
 
| {{tidy-html|page=MediaWiki/Parser4}}
 
| {{tidy-html|page=MediaWiki/Parser4}}
 
| No
 
| No
 +
|
 
| No
 
| No
 
|-
 
|-
Line 56: Line 83:
 
| {{tidy-html|page=MediaWiki/Parser5}}
 
| {{tidy-html|page=MediaWiki/Parser5}}
 
| No
 
| No
| Yes
+
|
 +
| bgcolor=grey | Yes
 
| Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
 
| Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
 
|-
 
|-
Line 64: Line 92:
 
| {{tidy-html|page=MediaWiki/Parser6}}
 
| {{tidy-html|page=MediaWiki/Parser6}}
 
| No
 
| No
| Yes
+
|
 +
| bgcolor=grey | Yes
 
| Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
 
| Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
|-
 
| <s>[[MediaWiki/Parser7]]</s>
 
| <s>[[Special:Export/MediaWiki/Parser7|Export Wiki Source]]</s>
 
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser7 W3C Validator]</s>
 
| <s>{{tidy-html|page=MediaWiki/Parser7}}</s>
 
| No
 
| No.
 
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
 
 
|-
 
|-
 
| [[MediaWiki/Parser8]]
 
| [[MediaWiki/Parser8]]
Line 80: Line 101:
 
| {{tidy-html|page=MediaWiki/Parser8}}
 
| {{tidy-html|page=MediaWiki/Parser8}}
 
| No
 
| No
 +
|
 
| No
 
| No
 
|-
 
|-
Line 87: Line 109:
 
| {{tidy-html|page=MediaWiki/Parser9}}
 
| {{tidy-html|page=MediaWiki/Parser9}}
 
| No
 
| No
 +
|
 
| No
 
| No
 
|-
 
|-
Line 94: Line 117:
 
| {{tidy-html|page=MediaWiki/Parser10}}
 
| {{tidy-html|page=MediaWiki/Parser10}}
 
| No
 
| No
 +
|
 
| No
 
| No
 
|-
 
|-
Line 101: Line 125:
 
| {{tidy-html|page=MediaWiki/Parser11}}
 
| {{tidy-html|page=MediaWiki/Parser11}}
 
| <s>Yes</s> No.
 
| <s>Yes</s> No.
 +
|
 
| No.
 
| No.
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-March/034614.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13424 now fixed in 1.6], although still fails W3C Validation.
+
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-March/034614.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13424 fixed in 1.6.1], although still fails W3C Validation.
 
|-
 
|-
 
| [[MediaWiki/Parser12]]
 
| [[MediaWiki/Parser12]]
Line 109: Line 134:
 
| {{tidy-html|page=MediaWiki/Parser12}}
 
| {{tidy-html|page=MediaWiki/Parser12}}
 
| <s>Yes</s> No.
 
| <s>Yes</s> No.
 +
|
 
| No.
 
| No.
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13441 now fixed in 1.6], although still fails W3C Validation.
+
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13441 fixed in 1.6.1], although still fails W3C Validation.
|-
+
| [[MediaWiki/Parser13]]
+
| [[Special:Export/MediaWiki/Parser13|Export Wiki Source]]
+
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]
+
| {{tidy-html|page=MediaWiki/Parser13}}
+
| bgcolor=yellow | Yes.
+
| No.
+
| Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].
+
|-
+
| [[MediaWiki/Parser14]]
+
| [[Special:Export/MediaWiki/Parser14|Export Wiki Source]]
+
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]
+
| {{tidy-html|page=MediaWiki/Parser14}}
+
| bgcolor=yellow | Yes.
+
| Yes.
+
| TOC insertion
+
|-
+
| [[MediaWiki/Parser14-table]]
+
| [[Special:Export/MediaWiki/Parser14-table|Export Wiki Source]]
+
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]
+
| {{tidy-html|page=MediaWiki/Parser14-table}}
+
| bgcolor=yellow | Yes.
+
| Yes.
+
| TOC insertion
+
 
|-
 
|-
 
| [[MediaWiki/Parser15]]
 
| [[MediaWiki/Parser15]]
Line 141: Line 143:
 
| {{tidy-html|page=MediaWiki/Parser15}}
 
| {{tidy-html|page=MediaWiki/Parser15}}
 
| No
 
| No
 +
|
 
| No.
 
| No.
 
| <s>Generates Tidy error due to &lt;caption&gt; tags out of order.</s> As of 1.6.1 just fails validation.
 
| <s>Generates Tidy error due to &lt;caption&gt; tags out of order.</s> As of 1.6.1 just fails validation.
Line 148: Line 151:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser16}}
 
| {{tidy-html|page=MediaWiki/Parser16}}
| bgcolor=yellow | Yes.
+
| <s>Yes</s> No.
 +
|
 
| No.
 
| No.
| <s>Generates Tidy error due to &lt;th&gt; tags out of order.</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, now drops the '<a href="xxx' string].
+
| <s>Generates Tidy error due to &lt;th&gt; tags out of order.</s> <s>[http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, dropped the '<a href="xxx' string.</s>]<br> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 +
|-
 +
| [[MediaWiki/Parser24]]
 +
| [[Special:Export/MediaWiki/Parser24|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser24 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser24}}
 +
| <s>Yes</s> No.
 +
|
 +
| No.
 +
| <s>[http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035811.html Allows User-specified JavaScript Execution].</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 +
|-
 +
| [[MediaWiki/Parser25]]
 +
| [[Special:Export/MediaWiki/Parser25|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser25 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser25}}
 +
| <s>Yes</s> No.
 +
|
 +
| No.
 +
| <s>[http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035812.html Allows User-specified JavaScript Execution].</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035814.html Security aspects fixed in 1.6.6], although still fails W3C Validation.
 +
|-
 +
| [[MediaWiki/Parser25-variant1]]
 +
| [[Special:Export/MediaWiki/Parser25-variant1|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser25-variant1 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser25-variant1}}
 +
| <s>Yes</s> No.
 +
|
 +
| No.
 +
| <s>Allows User-specified JavaScript Execution.</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 +
|-
 +
| [[MediaWiki/Parser25-variant2]]
 +
| [[Special:Export/MediaWiki/Parser25-variant2|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser25-variant2 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser25-variant2}}
 +
| <s>Yes</s> No.
 +
|
 +
| No.
 +
| <s>Allows User-specified JavaScript Execution.</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 +
|-
 +
| [[MediaWiki/Parser26]]
 +
| [[Special:Export/MediaWiki/Parser26|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser26 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser26}}
 +
| <s>Yes</s> No.
 +
|
 +
| <s>Yes</s> No.
 +
| Attribute injection in Cite extension fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015380.html r14400],<br />and visual aspects fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015379.html r14399], although still fails W3C Validation.
 +
|-
 +
| [[MediaWiki/Parser33]]
 +
| [[Special:Export/MediaWiki/Parser33|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser33 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser33}}
 +
| No.
 +
|
 +
| bgcolor=grey | Yes.
 +
| Numerous Tidy errors (using both the command-line version, and the Firefox plugin, but not with the web version)
 +
|-
 +
| [[MediaWiki/Parser34]]
 +
| [[Special:Export/MediaWiki/Parser34|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser34 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser34}}
 +
| No.
 +
|
 +
| bgcolor=grey | Yes.
 +
| Whacky page rendering, indents the nav bar from the left margin and into body text.
 +
|-
 +
| <s>[[MediaWiki/Parser28]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser28|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser28 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser28}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| Limited attribute injection using Sort extension + another extension (References in this example).<br />Can no longer reproduce, is certainly fixed in 1.6.7. Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser28-variant1]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser28-variant1|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser28-variant1 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser28-variant1}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| <s>Limited attribute injection using Sort extension + another extension (Math in this example).</s> Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser29]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser29|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser29 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser29}}</s>
 +
| No.
 +
| r14475
 +
| No.
 +
| <s>Invalid <left> tag on bad timeline extension input. Fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015455.html r14475].</s> Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser30]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser30|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser30 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser30}}</s>
 +
| No.
 +
| N/A.
 +
| No.
 +
| <s>Bogus - unable to reproduce problem.</s> Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser31]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser31|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser31 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser31}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| <s>Limited attribute injection using inputbox extension + another extension.</s> Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser32-variant1]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser32-variant1|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser32-variant1 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser32-variant1}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| <s>JavaScript execution using CharInsert + Sort extension.</s> Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser36]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser36|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser36 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser36}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| <s>Limited attribute injection using CharInsert extension + InputBox extension.</s> Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser37]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser37|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser37 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser37}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| <s>Limited attribute injection using CharInsert extension + InputBox extension + Math extension.</s> Still fails W3C validation.
 +
|-
 +
| <s>[[MediaWiki/Parser39]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser39|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser39 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser39}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| <s>Limited attribute injection using CharInsert extension + Cite extension.</s> Still fails validation.
 +
|-
 +
| [[MediaWiki/Parser49]]
 +
| [[Special:Export/MediaWiki/Parser49|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser49 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser49}}
 +
| No
 +
|
 +
| bgcolor=grey | Yes
 +
| Shifts content off of the left margin.<br />Causes Tidy errors (in command-line Tidy + the firefox plugin, but not in web version).
 +
|-
 +
| [[MediaWiki/Parser52]]
 +
| [[Special:Export/MediaWiki/Parser52|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser52 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser52}}
 +
| No
 +
|
 +
| No.
 +
| HTML validation failing due to '''id''' attribute or '''name''' attribute duplication.
 +
|-
 +
| <s>[[MediaWiki/Parser40]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser40|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser40 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser40}}</s>
 +
| <s>Yes</s> No.
 +
|
 +
| No.
 +
| <s>Limited dl/dd/dt attribute injection.[http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-June/015521.html Fixed in trunk in r14541] + a later speed-up patch</s>. Still fails HTML validation.
 +
|}
 +
 
 +
== Completely fixed ==
 +
 
 +
Things belong here if they now give valid HTML, don't cause PHP errors/warnings or SQL errors/warnings, and don't cause Tidy warnings.
 +
 
 +
{| border="1"
 +
! Test
 +
! Wiki Source
 +
! Validate HTML
 +
! Tidy HTML
 +
! [[#Definition of Security Aspects|Security<br>aspects?]]
 +
! Fixed in
 +
! Visible<br>Artefacts?
 +
! Notes and any extra info.
 +
|-
 +
| <s>[[MediaWiki/Parser7]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser7|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser7 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser7}}</s>
 +
| No
 +
| 1.6.1
 +
| No.
 +
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
 +
|-
 +
| <s>[[MediaWiki/Parser13]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser13|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser13}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.6
 +
| No.
 +
| <s>sDrops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].</s> Completely fixed in 1.6.6.
 +
|-
 +
| <s>[[MediaWiki/Parser14]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser14|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser14}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.6
 +
| <s>Yes</s> No.
 +
| <s>TOC insertion</s> Completely fixed in 1.6.6.
 +
|-
 +
| <s>[[MediaWiki/Parser14-table]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser14-table|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser14-table}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.6
 +
| <s>Yes</s> No.
 +
| <s>TOC insertion</s> Completely fixed in 1.6.6.
 
|-
 
|-
 
| <s>[[MediaWiki/Parser17]]</s>
 
| <s>[[MediaWiki/Parser17]]</s>
Line 156: Line 382:
 
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser17 W3C Validator]</s>
 
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser17 W3C Validator]</s>
 
| <s>{{tidy-html|page=MediaWiki/Parser17}}</s>
 
| <s>{{tidy-html|page=MediaWiki/Parser17}}</s>
| <s>Yes.</s> No.
+
| <s>Yes</s> No.
 +
| 1.6.1
 
| No.
 
| No.
 
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
 
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
Line 164: Line 391:
 
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser18 W3C Validator]</s>
 
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser18 W3C Validator]</s>
 
| <s>{{tidy-html|page=MediaWiki/Parser18}}</s>
 
| <s>{{tidy-html|page=MediaWiki/Parser18}}</s>
| <s>Yes.</s> No.
+
| <s>Yes</s> No.
 +
| 1.6.1
 
| No.
 
| No.
 
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
 
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
Line 172: Line 400:
 
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser19 W3C Validator]</s>
 
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser19 W3C Validator]</s>
 
| <s>{{tidy-html|page=MediaWiki/Parser19}}</s>
 
| <s>{{tidy-html|page=MediaWiki/Parser19}}</s>
| <s>Yes.</s> No.
+
| <s>Yes</s> No.
 +
| 1.6.1
 
| No.
 
| No.
 
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
 
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
 
|-
 
|-
| [[MediaWiki/Parser20]]
+
| <s>[[MediaWiki/Parser21]]</s>
| [[Special:Export/MediaWiki/Parser20|Export Wiki Source]]
+
| <s>[[Special:Export/MediaWiki/Parser21|Export Wiki Source]]</s>
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser20 W3C Validator]
+
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator]</s>
| {{tidy-html|page=MediaWiki/Parser20}}
+
| <s>{{tidy-html|page=MediaWiki/Parser21}}</s>
| No
+
| <s>Yes</s> No.
 +
| 1.6.6
 
| No.
 
| No.
| Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the<br>links don't act like normal links (in Firefox, at least) - clicking on them does nothing.
+
| Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
 
|-
 
|-
| [[MediaWiki/Parser21]]
+
| <s>[[MediaWiki/Parser22]]</s>
| [[Special:Export/MediaWiki/Parser21|Export Wiki Source]]
+
| <s>[[Special:Export/MediaWiki/Parser22|Export Wiki Source]]</s>
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator]
+
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator]</s>
| {{tidy-html|page=MediaWiki/Parser21}}
+
| <s>{{tidy-html|page=MediaWiki/Parser22}}</s>
| bgcolor=yellow | Yes.
+
| <s>Yes</s> No.
 +
| 1.6.6
 
| No.
 
| No.
|  
+
| <s>Double links injection.</s> Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
 
|-
 
|-
| [[MediaWiki/Parser22]]
+
| <s>[[MediaWiki/Parser27]]</s>
| [[Special:Export/MediaWiki/Parser22|Export Wiki Source]]
+
| <s>[[Special:Export/MediaWiki/Parser27|Export Wiki Source]]</s>
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator]
+
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser27 W3C Validator]</s>
| {{tidy-html|page=MediaWiki/Parser22}}
+
| <s>{{tidy-html|page=MediaWiki/Parser27}}</s>
| bgcolor=yellow |Yes.
+
 
| No.
 
| No.
| Double links injection.
+
| r14480
 +
| No.
 +
| PHP warning in Sort extension, fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015460.html r14480].
 
|-
 
|-
| [[MediaWiki/Parser23]]
+
| <s>[[MediaWiki/Parser32]]</s>
| [[Special:Export/MediaWiki/Parser23|Export Wiki Source]]
+
| <s>[[Special:Export/MediaWiki/Parser31|Export Wiki Source]]</s>
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser23 W3C Validator]
+
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser31 W3C Validator]</s>
| {{tidy-html|page=MediaWiki/Parser23}}
+
| <s>{{tidy-html|page=MediaWiki/Parser31}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 
| No.
 
| No.
 +
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-June/035974.html User-specified JavaScript execution]. Must be running an experimental extension, so most installations are<br />NOT affected. Wiki text not released yet. [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-June/015491.html Fixed in trunk by r14511], and fixed in 1.6.7.
 +
|-
 +
| <s>[[MediaWiki/Parser35]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser35|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser35 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser35}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| Limited attribute injection using CharInsert extension + Math extension.
 +
|-
 +
| <s>[[MediaWiki/Parser38]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser38|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser38 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser38}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| Limited attribute injection using CharInsert extension + Cite extension.
 +
|-
 +
| <s>[[MediaWiki/Parser42]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser42|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser42 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser42}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| Section heading abuse for gave Tidy error, strange page rendering, and a limited attribute injection.
 +
|-
 +
| <s>[[MediaWiki/Parser43]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser43|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser43 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser43}}</s>
 +
| <s>Yes</s> No.
 +
| 1.6.7
 +
| No.
 +
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-June/036085.html XSS Arbitrary JavaScript execution and HTML insertion]. Fixed in 1.6.7 and fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-June/015565.html r14585] for trunk.
 +
|-
 +
| <s>[[MediaWiki/Parser44]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser44|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser44 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser44}}</s>
 +
| No.
 +
| r14733
 +
| No.
 +
| PHP warning in InputBox extension in E_ALL with bad input. [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-June/015713.html Fixed in r14733].
 +
|-
 +
| <s>[[MediaWiki/Parser41]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser41|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser41 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser41}}</s>
 +
| <s>Yes</s> No.
 +
| [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-June/015524.html r14544]
 +
| No.
 +
| Wikitext of death (causes internal Parser error). Fixed in 1.7, but not in 1.6.
 +
|-
 +
| <s>[[MediaWiki/Parser48]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser48|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser48 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser48}}</s>
 +
| <s>Yes</s> No.
 +
|
 +
| No.
 +
| $wgAllowExternalImages is enabled by default in 1.6 stable, but it is turned off in 1.7 and Trunk by default.<br />This can be abused on a 1.6 wiki to create a page which when viewed will log the user off.
 +
|-
 +
| <s>[[MediaWiki/Parser2]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser2|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser2 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser2}}</s>
 +
| No
 +
|
 +
| No
 +
|-
 +
| <s>[[MediaWiki/Parser20]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser20|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser20 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser20}}</s>
 +
| No
 +
|
 +
| No.
 +
| Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the<br>links don't act like normal links (in Firefox, at least) - clicking on them does nothing.
 +
|-
 +
| <s>[[MediaWiki/Parser23]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser23|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser23 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser23}}</s>
 +
| No.
 +
|
 
| No.
 
| No.
 
| Pre allows malformed URI. Fails validation (unlike nowiki).
 
| Pre allows malformed URI. Fails validation (unlike nowiki).
 
|-
 
|-
| [[MediaWiki/Parser24]]
+
| <s>[[MediaWiki/Parser45]]</s>
| [[Special:Export/MediaWiki/Parser24|Export Wiki Source]]
+
| <s>[[Special:Export/MediaWiki/Parser45|Export Wiki Source]]</s>
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser24 W3C Validator]
+
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser45 W3C Validator]</s>
| {{tidy-html|page=MediaWiki/Parser24}}
+
| <s>{{tidy-html|page=MediaWiki/Parser45}}</s>
| bgcolor=red | Yes.
+
 
| No.
 
| No.
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035811.html Allows User-specified JavaScript Execution]. Currently unavailable, will be restored in a few days.
+
| [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-June/015710.html r14730]
 +
| <s>Yes</s> No.
 +
| PHP notices on the page history with bad input + E_ALL.
 
|-
 
|-
| [[MediaWiki/Parser25]]
+
| <s>[[MediaWiki/Parser46]]</s>
| [[Special:Export/MediaWiki/Parser25|Export Wiki Source]]
+
| <s>[[Special:Export/MediaWiki/Parser46|Export Wiki Source]]</s>
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser25 W3C Validator]
+
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser46 W3C Validator]</s>
| {{tidy-html|page=MediaWiki/Parser25}}
+
| <s>{{tidy-html|page=MediaWiki/Parser46}}</s>
| bgcolor=red | Yes.
+
 
| No.
 
| No.
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035812.html Allows User-specified JavaScript Execution]. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035814.html Now fixed in trunk]. Currently unavailable, will be restored in a few days.
+
|
 +
| <s>Yes</s> No.
 +
| Bad input on Page History that causes SQL error.
 +
|-
 +
| <s>[[MediaWiki/Parser50]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser50|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser50 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser50}}</s>
 +
| No
 +
|
 +
| <s>Yes</s> No.
 +
| Gives PHP fatal error on bad input on Special:Userlogin
 +
|-
 +
| <s>[[MediaWiki/Parser47]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser47|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser47 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser47}}</s>
 +
| No.
 +
|
 +
| <s>Yes</s> No.
 +
| Two PHP notices on Special:Contributions with bad input + E_ALL.
 +
|}
 +
 
 +
==Logged in bugzilla==
 +
 
 +
Lately most new things have [http://bugzilla.wikimedia.org/buglist.cgi?query_format=advanced&emailreporter1=1&emailtype1=substring&email1=nickj%40neverbox.com been logged in bugzilla], which makes them easier to track.
 +
 
 +
There is a small amount of overlap between this page and bugzilla, namely for the following bugs:
 +
 
 +
{| border="1"
 +
! Test
 +
! Wiki Source
 +
! Validate HTML
 +
! Tidy HTML
 +
! [[#Definition of Security Aspects|Security<br>aspects?]]
 +
! Fixed in
 +
! Visible<br>Artefacts?
 +
! Notes and any extra info.
 +
|-
 +
| [[MediaWiki/Parser51]]
 +
| [[Special:Export/MediaWiki/Parser51|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser51 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser51}}
 +
| No
 +
|
 +
| bgcolor=grey | Yes
 +
| PHP warnings on malformed cookie session_id on Special:Userlogin. Also logged as [[:MediaZilla:6538]]
 
|}
 
|}
  

Latest revision as of 10:56, 25 August 2010

Hello visitor! If you found this page, then you probably wanted something else. Here are links to what you're probably looking for:

Now back to your regularly scheduled programming....


Various MediaWiki 1.7.1 and extension parser tests, that fail HTML validation and/or have potential security issues. There is a MediaWiki bug report covering this. Some were found by hand, but most of these were found by fuzz testing of MediaWiki, using a modified PHP port of the Python port of mangleme. The original source code is available, although the version now in the MediaWiki trunk is much more current. Lastly, all the MediaWiki tests listed below are released into the public domain, and as such you're welcome to incorporate them into any software you like, under any license you like.

Security items

None that I am currently aware of.

HTML Validation or PHP errors or SQL errors

Things that cause one or more of the following:

  • Visual artefacts
  • PHP errors
  • SQL errors
  • Tidy errors (not just warnings)

... have been marked with grey to indicate that they may be of higher impact than the other items:

Test Wiki Source Validate HTML Tidy HTML Security
aspects?
Fixed in Visible
Artefacts?
Notes and any extra info.
MediaWiki/Parser1 Export Wiki Source W3C Validator Tidy HTML No Yes Stikes out almost all text. Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5.
MediaWiki/Parser1-hidden Export Wiki Source W3C Validator Tidy HTML No Yes Hides almost all text, which also makes all page links unavailable.
MediaWiki/Parser3 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser4 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser5 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
MediaWiki/Parser6 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
MediaWiki/Parser8 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser9 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser10 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser11 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation.
MediaWiki/Parser12 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation.
MediaWiki/Parser15 Export Wiki Source W3C Validator Tidy HTML No No. Generates Tidy error due to <caption> tags out of order. As of 1.6.1 just fails validation.
MediaWiki/Parser16 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Generates Tidy error due to <th> tags out of order. As of 1.6.1, dropped the '<a href="xxx' string.
Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser24 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25-variant1 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25-variant2 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser26 Export Wiki Source W3C Validator Tidy HTML Yes No. Yes No. Attribute injection in Cite extension fixed in r14400,
and visual aspects fixed in r14399, although still fails W3C Validation.
MediaWiki/Parser33 Export Wiki Source W3C Validator Tidy HTML No. Yes. Numerous Tidy errors (using both the command-line version, and the Firefox plugin, but not with the web version)
MediaWiki/Parser34 Export Wiki Source W3C Validator Tidy HTML No. Yes. Whacky page rendering, indents the nav bar from the left margin and into body text.
MediaWiki/Parser28 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using Sort extension + another extension (References in this example).
Can no longer reproduce, is certainly fixed in 1.6.7. Still fails W3C validation.
MediaWiki/Parser28-variant1 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using Sort extension + another extension (Math in this example). Still fails W3C validation.
MediaWiki/Parser29 Export Wiki Source W3C Validator Tidy HTML No. r14475 No. Invalid <left> tag on bad timeline extension input. Fixed in r14475. Still fails W3C validation.
MediaWiki/Parser30 Export Wiki Source W3C Validator Tidy HTML No. N/A. No. Bogus - unable to reproduce problem. Still fails W3C validation.
MediaWiki/Parser31 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using inputbox extension + another extension. Still fails W3C validation.
MediaWiki/Parser32-variant1 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. JavaScript execution using CharInsert + Sort extension. Still fails W3C validation.
MediaWiki/Parser36 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using CharInsert extension + InputBox extension. Still fails W3C validation.
MediaWiki/Parser37 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using CharInsert extension + InputBox extension + Math extension. Still fails W3C validation.
MediaWiki/Parser39 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using CharInsert extension + Cite extension. Still fails validation.
MediaWiki/Parser49 Export Wiki Source W3C Validator Tidy HTML No Yes Shifts content off of the left margin.
Causes Tidy errors (in command-line Tidy + the firefox plugin, but not in web version).
MediaWiki/Parser52 Export Wiki Source W3C Validator Tidy HTML No No. HTML validation failing due to id attribute or name attribute duplication.
MediaWiki/Parser40 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Limited dl/dd/dt attribute injection.Fixed in trunk in r14541 + a later speed-up patch. Still fails HTML validation.

Completely fixed

Things belong here if they now give valid HTML, don't cause PHP errors/warnings or SQL errors/warnings, and don't cause Tidy warnings.

Test Wiki Source Validate HTML Tidy HTML Security
aspects?
Fixed in Visible
Artefacts?
Notes and any extra info.
MediaWiki/Parser7 Export Wiki Source W3C Validator Tidy HTML No 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser13 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 No. sDrops the '<a href="xxx' string. Explanation for this + Parser14 + Parser14-table. Completely fixed in 1.6.6.
MediaWiki/Parser14 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 Yes No. TOC insertion Completely fixed in 1.6.6.
MediaWiki/Parser14-table Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 Yes No. TOC insertion Completely fixed in 1.6.6.
MediaWiki/Parser17 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser18 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser19 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser21 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 No. Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser22 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 No. Double links injection. Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser27 Export Wiki Source W3C Validator Tidy HTML No. r14480 No. PHP warning in Sort extension, fixed in r14480.
MediaWiki/Parser32 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. User-specified JavaScript execution. Must be running an experimental extension, so most installations are
NOT affected. Wiki text not released yet. Fixed in trunk by r14511, and fixed in 1.6.7.
MediaWiki/Parser35 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using CharInsert extension + Math extension.
MediaWiki/Parser38 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Limited attribute injection using CharInsert extension + Cite extension.
MediaWiki/Parser42 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. Section heading abuse for gave Tidy error, strange page rendering, and a limited attribute injection.
MediaWiki/Parser43 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.7 No. XSS Arbitrary JavaScript execution and HTML insertion. Fixed in 1.6.7 and fixed in r14585 for trunk.
MediaWiki/Parser44 Export Wiki Source W3C Validator Tidy HTML No. r14733 No. PHP warning in InputBox extension in E_ALL with bad input. Fixed in r14733.
MediaWiki/Parser41 Export Wiki Source W3C Validator Tidy HTML Yes No. r14544 No. Wikitext of death (causes internal Parser error). Fixed in 1.7, but not in 1.6.
MediaWiki/Parser48 Export Wiki Source W3C Validator Tidy HTML Yes No. No. $wgAllowExternalImages is enabled by default in 1.6 stable, but it is turned off in 1.7 and Trunk by default.
This can be abused on a 1.6 wiki to create a page which when viewed will log the user off.
MediaWiki/Parser2 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser20 Export Wiki Source W3C Validator Tidy HTML No No. Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the
links don't act like normal links (in Firefox, at least) - clicking on them does nothing.
MediaWiki/Parser23 Export Wiki Source W3C Validator Tidy HTML No. No. Pre allows malformed URI. Fails validation (unlike nowiki).
MediaWiki/Parser45 Export Wiki Source W3C Validator Tidy HTML No. r14730 Yes No. PHP notices on the page history with bad input + E_ALL.
MediaWiki/Parser46 Export Wiki Source W3C Validator Tidy HTML No. Yes No. Bad input on Page History that causes SQL error.
MediaWiki/Parser50 Export Wiki Source W3C Validator Tidy HTML No Yes No. Gives PHP fatal error on bad input on Special:Userlogin
MediaWiki/Parser47 Export Wiki Source W3C Validator Tidy HTML No. Yes No. Two PHP notices on Special:Contributions with bad input + E_ALL.

Logged in bugzilla

Lately most new things have been logged in bugzilla, which makes them easier to track.

There is a small amount of overlap between this page and bugzilla, namely for the following bugs:

Test Wiki Source Validate HTML Tidy HTML Security
aspects?
Fixed in Visible
Artefacts?
Notes and any extra info.
MediaWiki/Parser51 Export Wiki Source W3C Validator Tidy HTML No Yes PHP warnings on malformed cookie session_id on Special:Userlogin. Also logged as MediaZilla:6538

Definition of Security Aspects

For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:

  • <p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
  • <a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
  • A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.

So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.