[02:22:34] <Krinkle>	 Reedy: nice idea, I'll add a structure test for content hash to discourage future changes.
[12:48:12] <MatmaRex>	 i've been reviewing copyright messages for https://phabricator.wikimedia.org/T375789, and here's my favorite find so far: https://de.wiktionary.org/w/index.php?title=MediaWiki:Wikimedia-copyright&action=edit
[13:29:36] <Krinkle>	 "/wiki/{{UCFIRST:{{PAGENAME}}}}" is frightening
[13:29:41] <Krinkle>	 given raw HTML
[13:30:33] <Krinkle>	 It helps that < is invalid in page titles, and the #if condtion asserts existence
[13:37:09] <tgr|away>	 It's still just one unnoticed page creation away from a hover XSS
[13:38:04] <tgr|away>	 though I guess it would only work on that weirdly named page so not very serious
[13:40:34] <tgr|away>	 not sure if there is any technique these days to have JS executed on load from an injected attribute, that would have some real-world abuse potential
[13:42:54] <MatmaRex>	 ugh, you're right, i didn't even think of that
[13:43:23] <MatmaRex>	 i'll do something about this
[13:44:55] <tgr|away>	 wow that's horrible, they use it to generate a top-of-the-page notice (moved by JS I guess?)
[13:45:37] <tgr|away>	 nvm, I got confused
[13:45:47] <tgr|away>	 not sure where it shows up then, though
[13:46:03] <tgr|away>	 something like https://de.wiktionary.org/wiki/Gut should show a link in theory?
[13:46:39] <Lucas_WMDE>	 tgr|away: yes, „Abrufstatistik“ at the very bottom
[13:46:45] <Lucas_WMDE>	 between „Letzte Änderung“ and „Der Text ist unter…“
[13:47:55] <MatmaRex>	 yes, the "Siehe auch" at the top comes from that message
[13:48:22] <MatmaRex>	 but it's reformatted by JS, the absolute positioning styles look like they may have worked on MonoBook
[13:50:51] <Lucas_WMDE>	 it looks alright to me in (non-2022) vector too
[13:50:59] <Lucas_WMDE>	 but yeah in vector-2022 it’s terrible
[13:51:04] <MatmaRex>	 hmm, it looks like {{PAGENAME}} actually escapes " as HTML entity, so there's probably no XSS in that code
[14:06:58] <tgr|away>	 good to know, thanks for checking
[14:08:24] <MatmaRex>	 (my test case was a page titled `Test" onmouseover="alert(); //`)
[14:21:29] <Krinkle>	 (from tech discussion meeting) Examples of `yield` in our code bases: https://codesearch.wmcloud.org/deployed/?q=yield.*%3D%3E&files=phpunit&excludeFiles=&repos=
[14:21:36] <Krinkle>	 in phpunit context, that is.
[14:22:58] <Lucas_WMDE>	 `yield` is awesome for data providers 👍
[14:54:12] <Krinkle>	 MatmaRex: yep, just noticed the same. The quote ends up html escaped in the attribute value. And, this doesn't break #ifeq because ParserFunctions calls  decodeTrimExpand / Sanitizer::decodeCharReferences.
[14:55:04] <Krinkle>	 i.e. opposite of wfEscapeWikiText