Hi all! This is an announcement for a new developer feature in MediaWiki. If you don’t develop MediaWiki core, extensions or skins, you can stop reading :)

MediaWiki interface messages are generally “safe” to edit: when they contain markup, it is either parsed (as wikitext), sanitized, or fully HTML-escaped. For this reason, administrators are allowed to edit normal messages on-wiki in the MediaWiki: namespace, while editing JS code (which is more dangerous) is restricted to interface administrators. (A few exceptions, messages that are not escaped and which can only be edited by interface administrators, are configured in $wgRawHtmlMessages.) Occasionally, a bug in the software means that a message isn’t properly escaped, which can in theory be abused by administrators to effectively gain interface administrator powers (by editing a MediaWiki: page for a message to contain <script> tags, or onclick="" attributes, or whatever). Such bugs are usually considered low-severity security issues; some of them are tracked in T2212. (The general issue is known as cross-site scripting and can be much more severe when it’s not limited to interface messages.)

Previously, checking for these issues as a developer was tedious: if you suspected that a message was vulnerable to HTML injection, you had to create a page for it in the MediaWiki: namespace, or edit the corresponding en.json file on disk (and potentially rebuild the localisation cache). The recently merged “xss language code” feature simplifies this process. If the developer setting $wgUseXssLanguage is set to true, then an “x-xss” language code becomes available and can be selected with ?uselang=x-xss in the URL. When using this language code, all messages become “malicious”: every message is replaced by a snippet of HTML that tries to run alert('message-key'). If everything is implemented correctly, all of those HTML snippets should be escaped, and no alerts should fire, although the wiki will look quite strange:

If you see any alert, then that means that a message has not been escaped correctly; use the message key shown in the alert to hunt down the buggy code (or add the message key to $wgRawHtmlMessages). This feature is intended to be especially useful during code review: check out the change, load a page with ?uselang=x-xss, and see if any alerts come up.

Miscellaneous notes:
Cheers,
Lucas

--
Lucas Werkmeister (he/er)
Software Engineer

Wikimedia Deutschland e. V. | Tempelhofer Ufer 23-24 | 10963 Berlin
Phone: +49 (0)30-577 11 62-0
https://wikimedia.de

Imagine a world in which every single human being can freely share in the sum of all knowledge. Help us to achieve our vision!
https://spenden.wikimedia.de

Wikimedia Deutschland — Gesellschaft zur Förderung Freien Wissens e. V. Eingetragen im Vereinsregister des Amtsgerichts Charlottenburg, VR 23855 B. Als gemeinnützig anerkannt durch das Finanzamt für Körperschaften I Berlin, Steuernummer 27/029/42207.