Thanks for taking a look. Looking at CheckMatrixWidget.php , it looks to be using OOUI ? If that isn't the case I can add to my feature branch. Which extensions should be updated? I am happy to take that on if it is in scope for this ticket.

Also:

• https://gerrit.wikimedia.org/g/mediawiki/core/+/89199dcfe71e4c864cbcd2b1e77d23e19b0013e5/includes/widget/CheckMatrixWidget.php#119
• https://gerrit.wikimedia.org/g/mediawiki/core/+/89199dcfe71e4c864cbcd2b1e77d23e19b0013e5/tests/phpunit/integration/includes/HTMLForm/Field/HTMLRestrictionsFieldTest.php#44

and a couple more things in extensions.

Thanks Gergő. Understood; I would agree with that. After tracing through each result from the regex you provided (thanks), I am only seeing two direct uses of HTMLForm:

Change #1100006 had a related patch set uploaded (by CraigKahle; author: CraigKahle):

[mediawiki/core@master] updating form descriptors to use new 'help-raw' key over 'help' to indicate that it is a raw field.

https://gerrit.wikimedia.org/r/1100006

You should feel free to work on it, I just feel that tag sets wrong expectations. We usually use it for small self-contained changes. Deprecations across the whole codebase aren't really that.

Gergő - I really appreciate the detailed response and advice. With that information, I'm going to give it another shot.

Tagging a parameter migration in one of the most used MediaWiki classes as good first task is a bit ambitious IMO. There are ~50 hits for ('help'|"help")\s+=> in Wikimedia production; someone unfamiliar with the codebase would have to trace every one of those through the call chain until they reach HTMLForm or something that's clearly not using HTMLForm.

In T356971#10366870, @CraigKahle wrote:

The way I'm searching for deprecated usage is: 'help' => wfMessage; if I'm missing something, please let me know.

I added a topic branch to get started on this. Before I continue I wanted to ensure I'm on the right path. I am a new contributor and have a couple of questions:

Change #1099259 had a related patch set uploaded (by CraigKahle; author: CraigKahle):

[mediawiki/core@master] updating form descriptors to use new 'help-raw' key over 'help' to indicate that it is a raw field.

https://gerrit.wikimedia.org/r/1099259

I could take this on. The way I'm searching for deprecated usage is: 'help' => wfMessage; if I'm missing something, please let me know. Cheers and happy Thanksgiving for those who celebrate.

Thanks!

In T379677#10332098, @matmarex wrote:

Resolved now, right? Or are you waiting for the MW release to close this?

Resolved now, right? Or are you waiting for the MW release to close this?

Change #1090551 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Avoid unnecessary use of RawHtmlMessages

https://gerrit.wikimedia.org/r/1090551

Pushed as https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1090816

In T379677#10314397, @Tgr wrote:

T379677.patch1 KBDownload

Change #1090551 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/WikibaseMediaInfo@master] Avoid unnecessary use of RawHtmlMessages

https://gerrit.wikimedia.org/r/1090551

Change #1085432 merged by jenkins-bot:

[mediawiki/extensions/StopForumSpam@master] Remove stopforumspam-is-blocked message from RawHtmlMessages array

https://gerrit.wikimedia.org/r/1085432

Change #1085432 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/StopForumSpam@master] Remove stopforumspam-is-blocked message from RawHtmlMessages array

https://gerrit.wikimedia.org/r/1085432

In T377222#10279264, @Tgr wrote:

In T377222#10279189, @sbassett wrote:

It still has <strong> tags and is parsed due to the wikitext links. I guess one could argue that the <strong> tags are superfluous.

But it's parsed so it's safe HTML, not raw HTML.

In T377222#10279189, @sbassett wrote:

It still has <strong> tags and is parsed due to the wikitext links. I guess one could argue that the <strong> tags are superfluous.

In T377222#10278803, @Tgr wrote:

• stopforumspam-is-blocked (20bb7d1d - seems wrong? the message is not actually HTML)

The copyright footer is not shown on Special:UserLogin, nor (as far as I can tell) on any other page that has JS disabled;

Raw HTML messages not listed in T377222#10241289 but found by codesearch:

• stopforumspam-is-blocked (20bb7d1d - seems wrong? the message is not actually HTML)
• donate_interface-otherways (it's a Wikimedia-specific extension, only used on a very locked down wiki, so probably fine? still, seems easy to replace)
• wikibasemediainfo-time-timestamp-formatted (96e5a07e - no good reason for it to use raw HTML)

HTML in copyright messages is a legacy feature at this point. I don't think it makes sense to expend any effort on sanitizing it when security-conscious installations can just disable it.
(We should probably make it default to disabled in the next release, though.)

A related thought I had today: do we disable raw HTML messages on Special:UserLogin and related pages? Because not loading user or site scripts on those special pages is a security feature, I believe (we don’t want to let interface admins steal user’s passwords).

In theory since T45646: "MediaWiki:Copyright" message allows raw HTML we haven't been using most of these messages in Wikimedia production. $wgAllowRawHtmlCopyrightMessages (already false) should disable all the copyright-related ones (in favor of wikimedia-copyright-footer etc) except the MobileFrontend one which is not raw HTML anymore (fe15e9c776). googlesearch is unreachable. gadgets-definition is irrelevant. That leaves the various non-copyright mobile-frontend-* messages. Probably we can just fix those?

Hall of fame update deployed: codfw, eqiad.

Change #1082089 merged by Mmartorana:

[operations/deployment-charts@master] Update miscweb: security-landing-page to latest image tag

https://gerrit.wikimedia.org/r/1082089

Sure, fine by me.

Change #1082089 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/deployment-charts@master] Update miscweb: security-landing-page to latest image tag

https://gerrit.wikimedia.org/r/1082089

In T377222#10248420, @Bawolff wrote:

Also this seems more like a feature request than a security issue. Maybe this should be made public so a broader group can comment on it.

Also this seems more like a feature request than a security issue. Maybe this should be made public so a broader group can comment on it.

I feel like safemode would be difficult to use as a security feature. Its not sticky, users would have to manually type in the url of every page. edit: appearently this is a user preference now, which maybe changes things with regards to how much it makes sense as a security feature.

In T377222#10243566, @sbassett wrote:

@Lucas_Werkmeister_WMDE - Is this more about the convenience of having a query param to disable certain messages or is it more about trying to expand the security posture of safemode as @Krinkle alluded to? The former would likely have a simple solution, but I'd probably agree that, if it were to be implemented, it should never be enabled in Wikimedia production.

mmartorana merged https://gitlab.wikimedia.org/repos/sre/miscweb/security-landing-page/-/merge_requests/6

I can't reproduce any of the problems today.