⚓ T396486 Application Security Review Request: Wikifunctions rich text (HTML) output

⚓ T396486 Application Security Review Request: Wikifunctions rich text (HTML) output
Page Menu
Phabricator
Create Task
Maniphest
T396486
Application Security Review Request: Wikifunctions rich text (HTML) output
Closed, Resolved
Public
Actions
Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Mute Notifications
Protect as security issue
Assigned To
sbassett
Authored By
Jdforrester-WMF
Jun 10 2025, 2:21 PM
2025-06-10 14:21:05 (UTC+0)
Tags
Application Security Reviews
Security
secscrum
(Our Part Is Done)
WikiLambda
user-sbassett
(Done)
OKR-Work
(Backlog)
Abstract Wikipedia team (26Q2 (Oct–Dec))
(Needs Sign-off)
Referenced Files
None
Subscribers
Aklapper
EMill-WMF
Jdforrester-WMF
ldelench_wmf
Description
Project Information
Name of tool/project: Wikifunctions
Project home page:
Name of team requesting review: Abstract Wikipedia team
Primary contact: James F.
Target date for deployment: 1 Sep 2025
Link to code repository / patchset:
Link to scc output for general sizing of codebases (
):
Description of the tool/project:
Wikifunctions allows user-written Functions to be embedded in pages through a wikitext parser function, and thus provide static content. This is currently limited to plain text (outputting a
LiteralStringPFragment
to Parsoid).
Description of how the tool will be used at WMF:
We wish to extend this feature to also be able to output HTML (outputting an
HtmlPFragment
to Parsoid). The content will only be used as HTML after passing through MediaWiki's
Sanitizer.php
(and thus
Remex
).
Dependencies
List dependencies, or upstream projects that this project relies on.
Parsoid
MediaWiki Sanitizer
Remex
Has this project been reviewed before?
Please link to tasks or wiki pages of previous reviews.
Working test environment
Please link or describe setup process for setting up a test environment.
Post-deployment
Name of team responsible for tool/project after deployment and primary contact.
Related Objects
Search...
Task Graph
Mentions
Status
Subtype
Assigned
Task
Resolved
DVrandecic
T368005
Design outline for HTML output
Resolved
Jdforrester-WMF
T397402
If we enable Wikifunctions to output HTML tables, styling, and links, we will demonstrate through a Function that displays a conjugation table its capability for generating net new knowledge on Wiktionaries beyond simple conversions.
Resolved
sbassett
T396486
Application Security Review Request: Wikifunctions rich text (HTML) output
Mentioned Here
T398987: Provide a method (in MW's Sanitiser, or in WikiLambda?) that works like removeSomeTags() but also allows links through
Event Timeline
Jdforrester-WMF
created this task.
Jun 10 2025, 2:21 PM
2025-06-10 14:21:05 (UTC+0)
sbassett
moved this task from
Incoming
to
Upcoming Quarter Planning Queue
on the
secscrum
board.
Jun 10 2025, 4:41 PM
2025-06-10 16:41:08 (UTC+0)
Jdforrester-WMF
moved this task from
To Triage
to
Product Backlog
on the
Abstract Wikipedia team
board.
Jun 11 2025, 3:36 PM
2025-06-11 15:36:22 (UTC+0)
DSantamaria
moved this task from
Product Backlog
to
26Q1 (Jul–Sep)
on the
Abstract Wikipedia team
board.
Jun 19 2025, 8:15 AM
2025-06-19 08:15:51 (UTC+0)
DSantamaria
edited projects, added
Abstract Wikipedia team (26Q1 (Jul–Sep))
; removed
Abstract Wikipedia team
Jdforrester-WMF
added a parent task:
T397402: If we enable Wikifunctions to output HTML tables, styling, and links, we will demonstrate through a Function that displays a conjugation table its capability for generating net new knowledge on Wiktionaries beyond simple conversions.
Jul 8 2025, 1:33 PM
2025-07-08 13:33:11 (UTC+0)
Jdforrester-WMF
moved this task from
Incoming
to
Ready
on the
Abstract Wikipedia team (26Q1 (Jul–Sep))
board.
Jul 8 2025, 1:39 PM
2025-07-08 13:39:15 (UTC+0)
sbassett
changed the task status from
Open
to
In Progress
Jul 8 2025, 3:22 PM
2025-07-08 15:22:06 (UTC+0)
sbassett
claimed this task.
sbassett
triaged this task as
Medium
priority.
sbassett
moved this task from
Upcoming Quarter Planning Queue
to
In Progress
on the
secscrum
board.
sbassett
added a project:
user-sbassett
sbassett
moved this task from
Backlog
to
In Progress
on the
user-sbassett
board.
DSantamaria
moved this task from
Ready
to
In Engineering
on the
Abstract Wikipedia team (26Q1 (Jul–Sep))
board.
Jul 8 2025, 4:23 PM
2025-07-08 16:23:06 (UTC+0)
Jdforrester-WMF
added a project:
OKR-Work
Jul 10 2025, 4:09 PM
2025-07-10 16:09:34 (UTC+0)
ldelench_wmf
subscribed.
Jul 18 2025, 6:13 PM
2025-07-18 18:13:04 (UTC+0)
sbassett
added a comment.
Aug 12 2025, 3:56 PM
2025-08-12 15:56:43 (UTC+0)
Comment Actions
Hey all - just wanted to check in and see how the relevant code was progressing here. Thanks.
Jdforrester-WMF
added a comment.
Aug 25 2025, 5:50 PM
2025-08-25 17:50:46 (UTC+0)
Comment Actions
In
T396486#11078876
@sbassett
wrote:
Hey all - just wanted to check in and see how the relevant code was progressing here. Thanks.
Hi Scott, sorry for the delay. The relevant code (
T398987
) is just landing now. I've
added some very simple top-level instructions
to the extension's README, but
Geno has a more detailed document
for using and testing the system.
sbassett
added a comment.
Aug 26 2025, 2:02 PM
2025-08-26 14:02:50 (UTC+0)
Comment Actions
In
T396486#11116202
@Jdforrester-WMF
wrote:
Hi Scott, sorry for the delay. The relevant code (
T398987
) is just landing now. I've
added some very simple top-level instructions
to the extension's README, but
Geno has a more detailed document
for using and testing the system.
Ok, thanks. I'll probably start looking at this later this week or early next week.
EMill-WMF
subscribed.
Sep 12 2025, 3:39 AM
2025-09-12 03:39:54 (UTC+0)
sbassett
added a comment.
Edited
Oct 3 2025, 10:34 PM
2025-10-03 22:34:00 (UTC+0)
Comment Actions
Update:
I am giving this an initial risk rating of
low
as
WikifunctionsPFragmentSanitiserTokenHandler.php
looks perfectly reasonable to me on its face. I do want to spend a little more time trying to break it, but I'm fairly certain I won't find any serious issues.
sbassett
moved this task from
In Progress
to
Waiting
on the
secscrum
board.
Oct 7 2025, 3:44 PM
2025-10-07 15:44:20 (UTC+0)
Jdforrester-WMF
edited projects, added
Abstract Wikipedia team (26Q2 (Oct–Dec))
; removed
Abstract Wikipedia team (26Q1 (Jul–Sep))
Oct 9 2025, 3:18 PM
2025-10-09 15:18:37 (UTC+0)
Jdforrester-WMF
moved this task from
Incoming
to
In Code review
on the
Abstract Wikipedia team (26Q2 (Oct–Dec))
board.
Oct 16 2025, 2:07 PM
2025-10-16 14:07:12 (UTC+0)
sbassett
closed this task as
Resolved
Oct 17 2025, 3:19 PM
2025-10-17 15:19:44 (UTC+0)
sbassett
moved this task from
Waiting
to
Our Part Is Done
on the
secscrum
board.
sbassett
moved this task from
In Progress
to
Done
on the
user-sbassett
board.
Jdforrester-WMF
reopened this task as
In Progress
Nov 20 2025, 5:26 PM
2025-11-20 17:26:10 (UTC+0)
Jdforrester-WMF
moved this task from
In Code review
to
Needs Sign-off
on the
Abstract Wikipedia team (26Q2 (Oct–Dec))
board.
Jdforrester-WMF
closed this task as
Resolved
Dec 2 2025, 4:06 PM
2025-12-02 16:06:35 (UTC+0)
Comment Actions
Sorry, the trigger re-opened this automatically when moving the task. Have removed the trigger.
Log In to Comment
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct.
Wikimedia Foundation
Code of Conduct
Disclaimer
CC-BY-SA
GPL
Credits