Page MenuHomePhabricator
Create Task
Maniphest T360497

Remove "<a href" from licensing messages in WikimediaMessages
Closed, ResolvedPublicBUG REPORT
Actions

Description

In the WikimediaMessages extension, I've found seven messages that deal with licenses and include <a href:

  1. wikimedia-copyright
  2. wikimedia-commons-copyright
  3. mediawiki.org-copyright
  4. wikidata-copyright
  5. wikifunctions-site-footer-copyright
  6. wikifunctions-edit-copyrightwarning-function
  7. wikifunctions-edit-copyrightwarning-implementation

(There's also readinglists-import-app-with-link, but there's a separate task for it: T360394.)

Translations of messages with <a href have to be manually reviewed when they are imported from translatewiki to Gerrit, which is time-consuming for the translatewiki maintainers and error-prone, too. It would be nice to get rid of them.

I don't know what's the reason for using <a href and not the common MediaWiki external or internal links there. I guess it has something to do with the special way in which copyright messages are parsed, but I don't know the details. With my naïve git blame skills, I found this patch from 2009 by @bvibber in WikimediaMessages, but the actual reason for the need for <a href is probably even older.

I am tagging a few people who appear to have been involved with maintaining those things in WikimediaMessages over the years, but perhaps you have a better idea of someone to ask. It would be really nice to get rid of those and switch to using something more standard and secure. Thanks to anyone who can help with this. <3

Related Objects
Search...

Event Timeline

Amire80 created this task.Mar 20 2024, 2:34 AM
Varnent added a comment.Mar 20 2024, 6:49 PM

I am not familiar with the origin story - and my hunch is the capabilities of the system messages has evolved over the years. My experience with system messages is far less technical than others and more admin-based experience. With that experience in mind, I have certainly seen (as recently as today) a mix usage of interwiki and external link setups used pretty interchangeably across (I think) each of these messages. I would look to engineers for more official technical answer, but observationally it appears that either route is today supported in system messages such than updates would be useful. You can see a smattering of how local wikis have modified these messages (and used a mix of link types) with Global Search, example: Wikimedia-copyright.

Also, thank you for your work on this. I empathize with the need to do some historical digging to sort out capabilities of these messages, and appreciate your efforts to get things more synced up and "modernized".

Nikerabbit moved this task from Backlog to Synchronization on the affects-translatewiki.net board.Mar 20 2024, 7:38 PM
Reedy added a subscriber: csteipp.Mar 20 2024, 7:39 PM

T45646: "MediaWiki:Copyright" message allows raw HTML seems relevant here (still open from Jan 2013), at least as the underlying issue. Which resulted in https://www.mediawiki.org/wiki/Manual:$wgRawHtmlMessages being added into 1.32.

In T45646#495500, @csteipp wrote:

For this specific issue, Skin::getCopyright does send the message through the parser, so I think the only reason not to use wikitext is the rel="license" attributes on the links, right? That shouldn't be too difficult to solve.

Quite a lot of history in there!

Restricted Application added a subscriber: jhsoby. · View Herald TranscriptMar 20 2024, 7:39 PM
Reedy added a comment.Mar 20 2024, 7:44 PM

And https://gerrit.wikimedia.org/r/c/mediawiki/core/+/449689 was an attempt at a fix for this, just never got reviewed/merged

Reedy added a subtask: T45646: "MediaWiki:Copyright" message allows raw HTML.Mar 20 2024, 7:44 PM
Amire80 added a comment.Mar 22 2024, 4:10 PM
In T360497#9647226, @Reedy wrote:

T45646: "MediaWiki:Copyright" message allows raw HTML seems relevant here (still open from Jan 2013), at least as the underlying issue. Which resulted in https://www.mediawiki.org/wiki/Manual:$wgRawHtmlMessages being added into 1.32.

In T45646#495500, @csteipp wrote:

For this specific issue, Skin::getCopyright does send the message through the parser, so I think the only reason not to use wikitext is the rel="license" attributes on the links, right? That shouldn't be too difficult to solve.

Quite a lot of history in there!

Um... is rel="license" really the only reason?

I see that the English Wikipedia uses it locally. Is it actually useful there?

If it's useful there, why don't all the wikis and languages use it?

And if it's not useful, can we remove it, and then remove the raw HTML? :)

Amire80 mentioned this in T45646: "MediaWiki:Copyright" message allows raw HTML.Mar 29 2024, 9:45 PM
sbassett subscribed.Apr 1 2024, 4:21 PM
In T360497#9654513, @Amire80 wrote:

If it's useful there, why don't all the wikis and languages use it?

And if it's not useful, can we remove it, and then remove the raw HTML? :)

I don't think there's a singular voice who could unilaterally make that call. What most likely needs to happen is a public gerrit patch that removes the html and solicits concerns via code review.

Pginer-WMF edited projects, added Language-Team (Language-2024-April-June); removed Language-Team (Language-2024-January-March).Apr 5 2024, 10:08 AM
Bawolff subscribed.EditedApr 12 2024, 7:47 PM

I think the better solution would be to just make MW generate the rel link. HTML should not be in messages, but that doesn't mean we shouldn't use it all.

I'm fairly sure that this message is raw html for historical reasons and the microformat stuff was added later.

That said, is the review really that problematic? The text of these messages have legal effect over how the site is licensed. It seems like changes to them would be something we would want to review carefully for legal reasons.

Amire80 added a comment.Apr 12 2024, 8:00 PM
In T360497#9710886, @Bawolff wrote:

That said, is the review really that problematic? The text of these messages have legal effect over how the site is licensed. It seems like changes to them would be something we would want to review carefully for legal reasons.

The review is a time-consuming step of a process that should be mostly automatic. And the considerations of security and correctness are not really working here: in the current situation, it's practically always a false positive, which makes the review not only time-consuming, but also pointless.

If there was actually a serious chance that the review could catch real problems with security or functionality, it would be justified. But currently, the only reason seems to be that these messages allow <a href in the first place. And if the only reason for allowing <a href is the need to use rel=, then it requires fixing: either making a different way to add rel= if it's truly needed, or removing the raw HTML support entirely.

MaryMunyoki edited projects, added Language-Technical Support; removed Language-Team (Language-2024-April-June), Language-Technical Support (Language-Technical Support (Current)).May 15 2024, 2:49 PM
MaryMunyoki edited projects, added LPL Onboarding and Development; removed Language-Technical Support.Jun 27 2024, 12:31 PM
srishakatux added a parent task: T368772: Language Support at Wikimania Hackathon 2024.Jul 17 2024, 4:54 PM
srishakatux added a project: Wikimania-Hackathon-2024.
srishakatux moved this task from Backlog to Hacking Projects on the Wikimania-Hackathon-2024 board.
srishakatux mentioned this in T368772: Language Support at Wikimania Hackathon 2024.Jul 25 2024, 6:07 AM
MaryMunyoki moved this task from Backlog to Incoming Requests on the LPL Onboarding and Development board.Sep 18 2024, 8:03 PM
matmarex claimed this task.Sep 26 2024, 6:38 PM
matmarex added projects: SUL3, MediaWiki-Platform-Team.
matmarex added a parent task: T375789: Replace on-wiki raw HTML overrides for "MediaWiki:Copyright" etc. and set $wgAllowRawHtmlCopyrightMessages = false.
Jdforrester-WMF subscribed.Sep 26 2024, 7:03 PM
matmarex removed a parent task: T375789: Replace on-wiki raw HTML overrides for "MediaWiki:Copyright" etc. and set $wgAllowRawHtmlCopyrightMessages = false.Sep 27 2024, 1:36 PM
matmarex added a subtask: T375882: Wikifunctions "copyrightwarning" messages allow raw HTML .Sep 27 2024, 1:43 PM
matmarex closed subtask T375882: Wikifunctions "copyrightwarning" messages allow raw HTML as Resolved.Sep 27 2024, 7:09 PM
Tgr moved this task from Inbox, needs triage to In progress on the MediaWiki-Platform-Team board.Sep 30 2024, 10:05 AM
Tgr moved this task from Backlog to In progress on the SUL3 board.Oct 1 2024, 12:54 PM
matmarex closed subtask T45646: "MediaWiki:Copyright" message allows raw HTML as Resolved.Oct 2 2024, 3:58 PM
matmarex closed this task as Resolved.Oct 4 2024, 5:36 PM

All subtasks resolved.

Amire80 added a comment.Oct 4 2024, 6:22 PM
In T360497#10203278, @matmarex wrote:

All subtasks resolved.

❤️ ❤️ ❤️ ❤️ ❤️

srishakatux awarded a token.Oct 4 2024, 10:15 PM
matmarex reopened subtask T45646: "MediaWiki:Copyright" message allows raw HTML as Open.Oct 14 2024, 11:23 PM
matmarex closed subtask T45646: "MediaWiki:Copyright" message allows raw HTML as Resolved.Oct 15 2024, 2:46 PM
MaryMunyoki moved this task from Incoming Requests to Current on the LPL Onboarding and Development board.Apr 16 2025, 6:09 PM
MaryMunyoki edited projects, added LPL Onboarding and Development (Current); removed LPL Onboarding and Development.
MaryMunyoki moved this task from Incoming Requests to Done (Q2 2024-25) on the LPL Onboarding and Development (Current) board.May 6 2025, 9:36 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits