`Parser::cleanUpTocLine()` does not properly remove all forbidden html elements from the TOC in some edgecases
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	FO-nTTaX
	Sep 19 2025, 7:46 AM

Description

Steps to replicate the issue (include links if applicable):

Create a page with this content (I realize this is not valid html, I first reproduced this with an image that had a link on it):

__TOC__
==<abbr><abbr></abbr></abbr><abbr><abbr title="abbr title">This is in an abbr</abbr></abbr> Test==

Look at the TOC

What happens?:

_Some_ but not all abbr elements make it into the TOC

What should have happened instead?:

All elements not in $allowedTags inside the function should be removed.

For reference:

$allowedTags = [ 'span', 'sup', 'sub', 'bdi', 'i', 'b', 's', 'strike', 'q' ];

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

MediaWiki 1.43.3 on my server, also tested on testwiki at https://test.wikipedia.org/wiki/User:FO-nTTaX

Other information (browser name/version, screenshots, etc.):

I don't think this is security relevant as it still would need to survive the parser and the sanitizer, but it's not the correct behaviour in my opinion.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Fix the premature loop exit in Parser.cleanUpTocLine	mediawiki/core	REL1_44	+28 -4
Fix the premature loop exit in Parser.cleanUpTocLine	mediawiki/core	REL1_43	+28 -4
Fix the premature loop exit in Parser.cleanUpTocLine	mediawiki/core	master	+28 -4

Customize query in gerrit

Event Timeline

FO-nTTaX created this task.Sep 19 2025, 7:46 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 19 2025, 7:46 AM

FO-nTTaX updated the task description. (Show Details)Sep 19 2025, 7:51 AM

Change #1190671 had a related patch set uploaded (by Mbergen; author: Mbergen):

[mediawiki/core@master] Fix the premature loop exit in Parser.cleanUpTocLine

https://gerrit.wikimedia.org/r/1190671

gerritbot added a project: Patch-For-Review.Sep 23 2025, 1:23 PM

Change #1190671 merged by jenkins-bot:

[mediawiki/core@master] Fix the premature loop exit in Parser.cleanUpTocLine

https://gerrit.wikimedia.org/r/1190671

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.22; 2025-10-07).Sep 30 2025, 10:00 PM

Maintenance_bot removed a project: Patch-For-Review.Sep 30 2025, 10:31 PM

Following this patch being merged, I can't reproduce the issue described in the task description (either locally or at https://test.wikipedia.org/wiki/User:FO-nTTaX). To confirm, @cscott @mbergen is this bug report now resolved? (if so, should the fix be backported?)

In T405064#11324427, @A_smart_kitten wrote:

Following this patch being merged, I can't reproduce the issue described in the task description (either locally or at https://test.wikipedia.org/wiki/User:FO-nTTaX). To confirm, @cscott @mbergen is this bug report now resolved? (if so, should the fix be backported?)

I consider it resolved, and it would be great if it were backported.

Change #1199841 had a related patch set uploaded (by A smart kitten; author: Mbergen):

[mediawiki/core@REL1_44] Fix the premature loop exit in Parser.cleanUpTocLine

https://gerrit.wikimedia.org/r/1199841

Change #1199842 had a related patch set uploaded (by A smart kitten; author: Mbergen):

[mediawiki/core@REL1_43] Fix the premature loop exit in Parser.cleanUpTocLine

https://gerrit.wikimedia.org/r/1199842

In T405064#11324534, @mbergen wrote:

In T405064#11324427, @A_smart_kitten wrote:

Following this patch being merged, I can't reproduce the issue described in the task description (either locally or at https://test.wikipedia.org/wiki/User:FO-nTTaX). To confirm, @cscott @mbergen is this bug report now resolved? (if so, should the fix be backported?)

I consider it resolved, and it would be great if it were backported.

Thanks! Based on your comment I'm being bold and proposing it for backporting to MW 1.44 & 1.43 (as versions of MediaWiki that are still in support).
I haven't proposed backporting it to MW 1.39, as it looks like the current implementation of Parser::cleanUpTocLine() was introduced in 1.42 (https://gerrit.wikimedia.org/r/1005194), and as - testing locally - it seems like this bug might actually be a regression from that patch.

Change #1199842 merged by jenkins-bot: