On 05/19/2014 09:52 AM, Daniel Kinzler wrote:
Am 18.05.2014 16:29, schrieb Gabriel Wicke:
The difference between wrapper and property is
actually that using inline
wrappers in the returned wikitext would force us to escape similar wrappers
from normal template content to avoid opening a gaping XSS hole.
Please explain, I do not see the hole you mention.
If the input contained <html>evil stuff</html>, it would just get escaped by
the
preprocessor (unless $wgRawHtml is enabled), as it is now:
https://de.wikipedia.org/w/api.php?action=expandtemplates&text=%3Chtml%…
What you see there is just unescaped HTML embedded in the XML result format.
It's clearer that there's in fact no escaping on the HTML when looking at
the JSON:
https://de.wikipedia.org/w/api.php?action=expandtemplates&text=%3Chtml%…
Parsoid depends on there being no escaping for unknown tags (and known
extension tags) in the preprocessor.
So if you use tags, you'll have to add escaping for those.
The move to HTML-based (self-contained) transclusions expansions will avoid
this issue completely. That's a few months out though. Maybe we can find a
stop-gap solution that moves in that direction, without introducing special
tags in expandtemplates that we'll have to support for a long time.
Gabriel