I had OpenODBC's iODBC plugin installed in Safari (latest release, always). After any edit, EMBED tags would be inserted at the top and bottom of the article. This did not occur with the source editor, or any other editable widget, like this one I'm typing in now.
Version: unspecified
Severity: minor
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=51423
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Invalid | None | T54327 Broken browser plugins cause cruft to be injected into the page (tracking) | |||
| Resolved | Krenair | T53521 VisualEditor: Broken OpenODBC browser plugin causes "application/iodbc" to be injected into the page |
Have you reported this upstream (i.e., to the author of the extension)? I don't this it's VE's fault, although I've seen similar stuff with another extension (FoxLingo):
[[m:en:Wikipedia:VisualEditor/Feedback/Archive_2013_07#Inserting_weird_script_tag_stuff]].
Actually, might be a more general bug, as these diffs have many similarities. I wonder if any other browser extensions do this.
Actually my post over on the Village Pump *appears* to have turned up several other examples of plugins having the same problem. Not much more I can add though...
http://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)
Look for "Is this me or the editor?" (I can't get the section link to work)
wikipedia wrote:
From my understanding, using this bug targetedly it is possible for Browser Add-Ons to insert malicious code in Wikipedia pages. The Wikipedia user will not even notice. I put importance to "immediate", in case I'm wrong please undo my change.
(In reply to comment #5)
From my understanding, using this bug targetedly it is possible for Browser
Add-Ons to insert malicious code in Wikipedia pages. The Wikipedia user will
not even notice. I put importance to "immediate", in case I'm wrong please
undo
my change.
embed is not one of the allowed html tags when $wgRawHtml is disabled, so the embed tag is escaped as a security measure. No malicious injection is possible via this bug.
The now archived discussion is
https://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28technical%29/Archive_114#Is_this_me_or_the_editor.3F
Examples:
https://en.wikipedia.org/w/index.php?title=The_Road_%282009_film%29&diff=prev&oldid=563739949
https://en.wikipedia.org/w/index.php?title=The_Road_%282009_film%29&diff=prev&oldid=564586766
https://en.wikipedia.org/w/index.php?title=Informix_Wingz&diff=prev&oldid=564587579
You could write an AbuseFilter to prevent edits like this. This is not VE's fault. There is a problem with the extension. Has anyone notified the author of said extension?
"This is not VE's fault."
I am not at all certain of this. This problem ONLY occurs in VE. It does not occur in the source editor, or any other text editor across the whole wide web.
Something in VE is triggering this plugin to insert code. The plugin and the code it's inserting, is perfectly valid.
PiRSquared17 is right. This is not VE's fault. It only occurs in VE because of the way it sets up the editing area, which your plugin doesn't recognise as not to touch.
No and no.
This is now assigned to James Forrester. Will a special test for this specific text be added? What can be done to fix this bug? Seems more like an upstream issue IMHO.
(In reply to PiRSquared17 from comment #10)
This is now assigned to James Forrester.
No it isn't. Above line clearly says:
Assigned To: VE team bugs – take if you're interested!
Change 163961 had a related patch set uploaded by Alex Monk:
Remove certain blacklisted elements when getting HTML from document
Change 163961 merged by jenkins-bot:
Remove certain blacklisted elements when getting HTML from document