Editors have been banned for using tides in their signatures (among other things):
https://en.wikipedia.org/wiki/Wikipedia:Requests_for_arbitration/-Ril-#Sig_change
The issue is that if you set your 'fancy' signature to ~~~~ it gets inserted literally in the output, and then the next editor to save the talk page gets *their* signature substituted, causing the evil editor's comments to be misattributed.
Code was added in 2006 to prevent this: 682e6e96e035e95dc44c8f17ce050bb7c16f60e2
But this is ineffective. For example consider the signature ~~{{subst:1x{{subst:1x|{{subst:!}}}}}}~~. This gets expanded on first save to ~~{{subst:1x|}}~~ which will then be treated as ~~~~ on a subsequent save (subst is handled before signature insertion).
This isn't really a security bug: we have a policy in place forbidding confusing signatures in general, and the original author is stored in the version history. But it is a case where our attempted sanitization is imperfect.
Dependencies
The patches to meet the "Requirements" described below should NOT be merged until the following tickets are resolved:
- T254613: Post final requirements and implementation plan to proposal page
- T254614: Notify "tech audiences" about signature requirement consultation outcomes
Requirements
- When someone attempts to save a signature that meets the conditions below, prevent the signature from being saved and present a message that explains to people: 1) that their signature cannot be saved as it is currently written, 2) why their signature cannot be saved as it is currently written and 3) what changes they need to make to the signature they have written in order to save it.
- Conditions:
- The signature contains syntax that produces another {{subst:...}} or ~~~... after the substitution (which would be then substituted again when the next user edits the page), as described in T230652#5966006
- Conditions:
Testing details
Scenario A
- Visit: https://en.wikipedia.org/wiki/Special:Preferences
- Navigate to the Signature section
- Check the Treat the above as wiki markup box
- Enter a signature like: ~~{{subst:1x{{subst:1x|{{subst:!}}}}}}~~
- Click Save
- Notice the follow message appears beneath the Signature: text field: Your signature contains nested substitution (e.g. subst: or ~~~~).
Done
- Patches are written that meet the "Requirements" described above