Difference between revisions of "MediaWiki"

From Nick Jenkins
Jump to: navigation, search
m (Update for 1.6.1)
Line 1: Line 1:
Various MediaWiki 1.5.8 parser tests, that fail HTML validation:
+
Various MediaWiki 1.6.1 parser tests, that fail HTML validation:
  
 
* [http://bugzilla.wikimedia.org/show_bug.cgi?id=5066 MediaWiki bug report].
 
* [http://bugzilla.wikimedia.org/show_bug.cgi?id=5066 MediaWiki bug report].
Line 10: Line 10:
 
! Validate HTML
 
! Validate HTML
 
! Tidy HTML
 
! Tidy HTML
! Visible Artefacts, and if so what; Any extra info
+
! Security<br>aspects?<sup>1</sup>
 +
! Visible<br>Artefacts?
 +
! Notes and any extra info.
 
|-
 
|-
 
| [[MediaWiki/Parser1]]
 
| [[MediaWiki/Parser1]]
Line 16: Line 18:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser1 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser1 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser1}}
 
| {{tidy-html|page=MediaWiki/Parser1}}
| Yes - stikes out almost all text. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-February/034012.html Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5].
+
| No
 +
| Yes
 +
| Stikes out almost all text. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-February/034012.html Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5].
 
|-
 
|-
 
| [[MediaWiki/Parser1-hidden]]
 
| [[MediaWiki/Parser1-hidden]]
Line 22: Line 26:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser1-hidden W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser1-hidden W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser1-hidden}}
 
| {{tidy-html|page=MediaWiki/Parser1-hidden}}
| Yes - hides almost all text, which also makes all page links unavailable.
+
| No
 +
| Yes
 +
| Hides almost all text, which also makes all page links unavailable.
 
|-
 
|-
 
| [[MediaWiki/Parser2]]
 
| [[MediaWiki/Parser2]]
Line 28: Line 34:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser2 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser2 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser2}}
 
| {{tidy-html|page=MediaWiki/Parser2}}
 +
| No
 
| No
 
| No
 
|-
 
|-
Line 34: Line 41:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser3 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser3 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser3}}
 
| {{tidy-html|page=MediaWiki/Parser3}}
 +
| No
 
| No
 
| No
 
|-
 
|-
Line 40: Line 48:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser4 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser4 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser4}}
 
| {{tidy-html|page=MediaWiki/Parser4}}
 +
| No
 
| No
 
| No
 
|-
 
|-
Line 46: Line 55:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser5 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser5 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser5}}
 
| {{tidy-html|page=MediaWiki/Parser5}}
| Yes - shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
+
| No
 +
| Yes
 +
| Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
 
|-
 
|-
 
| [[MediaWiki/Parser6]]
 
| [[MediaWiki/Parser6]]
Line 52: Line 63:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser6 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser6 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser6}}
 
| {{tidy-html|page=MediaWiki/Parser6}}
| Yes - shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
+
| No
 +
| Yes
 +
| Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
 
|-
 
|-
| [[MediaWiki/Parser7]]
+
| <s>[[MediaWiki/Parser7]]</s>
| [[Special:Export/MediaWiki/Parser7|Export Wiki Source]]
+
| <s>[[Special:Export/MediaWiki/Parser7|Export Wiki Source]]</s>
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser7 W3C Validator]
+
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser7 W3C Validator]</s>
| {{tidy-html|page=MediaWiki/Parser7}}
+
| <s>{{tidy-html|page=MediaWiki/Parser7}}</s>
 
| No
 
| No
 +
| No.
 +
| Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
 
|-
 
|-
 
| [[MediaWiki/Parser8]]
 
| [[MediaWiki/Parser8]]
Line 64: Line 79:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser8 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser8 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser8}}
 
| {{tidy-html|page=MediaWiki/Parser8}}
 +
| No
 
| No
 
| No
 
|-
 
|-
Line 70: Line 86:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser9 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser9 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser9}}
 
| {{tidy-html|page=MediaWiki/Parser9}}
 +
| No
 
| No
 
| No
 
|-
 
|-
Line 76: Line 93:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser10 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser10 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser10}}
 
| {{tidy-html|page=MediaWiki/Parser10}}
 +
| No
 
| No
 
| No
 
|-
 
|-
Line 82: Line 100:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser11 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser11 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser11}}
 
| {{tidy-html|page=MediaWiki/Parser11}}
| No. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-March/034614.html Explanation].
+
| <s>Yes</s> No.
 +
| No.
 +
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-March/034614.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13424 now fixed in 1.6], although still fails W3C Validation.
 
|-
 
|-
 
| [[MediaWiki/Parser12]]
 
| [[MediaWiki/Parser12]]
Line 88: Line 108:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser12 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser12 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser12}}
 
| {{tidy-html|page=MediaWiki/Parser12}}
| No. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html Explanation].
+
| <s>Yes</s> No.
 +
| No.
 +
| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13441 now fixed in 1.6], although still fails W3C Validation.
 
|-
 
|-
 
| [[MediaWiki/Parser13]]
 
| [[MediaWiki/Parser13]]
Line 94: Line 116:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser13}}
 
| {{tidy-html|page=MediaWiki/Parser13}}
| No. Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].
+
| Yes.
 +
| No.
 +
| Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].
 
|-
 
|-
 
| [[MediaWiki/Parser14]]
 
| [[MediaWiki/Parser14]]
Line 100: Line 124:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser14}}
 
| {{tidy-html|page=MediaWiki/Parser14}}
 +
| Yes.
 
| No.
 
| No.
 
|-
 
|-
Line 106: Line 131:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser14-table}}
 
| {{tidy-html|page=MediaWiki/Parser14-table}}
 +
| Yes.
 
| No.
 
| No.
 
|-
 
|-
Line 112: Line 138:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser15 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser15 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser15}}
 
| {{tidy-html|page=MediaWiki/Parser15}}
| No. Generates Tidy error due to &lt;caption&gt; tags out of order.
+
| No
 +
| No.
 +
| <s>Generates Tidy error due to &lt;caption&gt; tags out of order.</s> As of 1.6 just fails validation.
 
|-
 
|-
 
| [[MediaWiki/Parser16]]
 
| [[MediaWiki/Parser16]]
Line 118: Line 146:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser16}}
 
| {{tidy-html|page=MediaWiki/Parser16}}
| No. Generates Tidy error due to &lt;th&gt; tags out of order.
+
| Yes.
 +
| No.
 +
| <s>Generates Tidy error due to &lt;th&gt; tags out of order.</s> As of 1.6, now drops the '<a href="xxx' string.
 
|}
 
|}
 +
 +
<br>
 +
<sup>1</sup>: For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:
 +
* ''&lt;p&gt;&lt;td&gt;&lt;s&gt;&lt;/p&gt;'' would '''not''' be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
 +
* ''&lt;a href="http://as&lt;td&gt;&lt;/td&gt;&lt;td class="external free"&gt;&lt;p&gt;user text here'' would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
 +
* A string missing the start of a tag would also be considered to have a security aspect - e.g. ''&lt;th&gt;|||||" class="external free" title="https://||||||" rel="nofollow"&gt;https://&lt;/th&gt;'' - because the ''&lt;a href="xxx'' part has been cut off.
 +
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.

Revision as of 05:20, 7 April 2006

Various MediaWiki 1.6.1 parser tests, that fail HTML validation:


Test Wiki Source Validate HTML Tidy HTML Security
aspects?1 		Visible
Artefacts? 		Notes and any extra info.
MediaWiki/Parser1 Export Wiki Source W3C Validator Tidy HTML No Yes Stikes out almost all text. Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5.
MediaWiki/Parser1-hidden Export Wiki Source W3C Validator Tidy HTML No Yes Hides almost all text, which also makes all page links unavailable.
MediaWiki/Parser2 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser3 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser4 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser5 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
MediaWiki/Parser6 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
MediaWiki/Parser7 Export Wiki Source W3C Validator Tidy HTML No No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser8 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser9 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser10 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser11 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects now fixed in 1.6, although still fails W3C Validation.
MediaWiki/Parser12 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects now fixed in 1.6, although still fails W3C Validation.
MediaWiki/Parser13 Export Wiki Source W3C Validator Tidy HTML Yes. No. Drops the '<a href="xxx' string. Explanation for this + Parser14 + Parser14-table.
MediaWiki/Parser14 Export Wiki Source W3C Validator Tidy HTML Yes. No.
MediaWiki/Parser14-table Export Wiki Source W3C Validator Tidy HTML Yes. No.
MediaWiki/Parser15 Export Wiki Source W3C Validator Tidy HTML No No. Generates Tidy error due to <caption> tags out of order. As of 1.6 just fails validation.
MediaWiki/Parser16 Export Wiki Source W3C Validator Tidy HTML Yes. No. Generates Tidy error due to <th> tags out of order. As of 1.6, now drops the '<a href="xxx' string.


1: For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:

  • <p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
  • <a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
  • A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://%7C%7C%7C%7C%7C%7C" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off.

So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.

Retrieved from "http://nickj.org/index.php?title=MediaWiki&oldid=1872"