Re-add WikiForum extension

[yaronkoren]

WikiForum was in Canasta at the beginning, but was then removed about a year go (via #355 and #357) because it had gone unmaintained and had several security risks. However, just today this extension was restored back to "Stable" on mediawiki.org, with the comment that "all known issues are addressed". So, should we re-add it?

[labster]

It may be stable but we already found another XSS bug in it. WikiForum has some deep problems.

https://issue-tracker.miraheze.org/T13064#262072

[yaronkoren]

@labster - good to know. Do the WikiForum people know about this?

[yaronkoren]

@labster - can you offer any more information? I don't have a Miraheze account, so I can't see that issue you're pointing to.

[labster]

The details in the task were:

XSS:
http://mw142.icecone.internal/w/index.php?title=Special:WikiForum&wfaction=editcategory&category=1&uselang=x-xss
2025-01-07_20-12.png (1×1 px, 61 KB)

Sources:

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/WikiForum/+/e0bd65ef5a40526e3d8eeb2f1363e87c080a08dc/includes/WFCategory.php#502
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/WikiForum/+/e0bd65ef5a40526e3d8eeb2f1363e87c080a08dc/includes/WFCategory.php#513
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/WikiForum/+/e0bd65ef5a40526e3d8eeb2f1363e87c080a08dc/includes/WFCategory.php#523

Proper fix: Escape the parameters in the function WikiForumGUI::showTopLevelForm(): https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/WikiForum/+/e0bd65ef5a40526e3d8eeb2f1363e87c080a08dc/includes/WikiForumGui.php#289

Maybe @BlankEclair can give more details

Actually I've been working on a major refactor, trying to do nice things like Html::element and ResourceLoader, but I haven't even been able to get my first commit merged, so it might end up becoming a fork.