Jackmcbarn discovered that abuse of the Cite extension in combination with mw.text.unstrip can allow for cross-invoke communication. The general idea is that data can be set by processing a <ref> tag with an otherwise-unused group, and then retrieved later by processing <references> for that group and parsing the HTML.
Possible fixes:
- Remove mw.text.unstrip. Disadvantage: This is something that was requested relatively frequently by the community to deal with <nowiki> tags, and removing it would likely break various modules and cause many complaints.
- Create a blacklist or whitelist of strip tags for mw.text.unstrip, and use it to disallow "references". Disadvantage: It's a blacklist/whitelist, that has to be maintained somehow.
- Adjust Cite to not include the HTML in the references strip tag, instead put some token that gets replaced in the ParserAfterParse hook. Disadvantage: Requires Cite to do something unusual because of Scribunto.
- Rewrite Cite entirely like Gabriel Wicke wants (see comments on Gerrit change 99792), so it basically reparses the whole page in one of the post-parse hooks to handle <ref> and <references>. Disadvantage: It adds an extra pass to the parser (if not a whole extra parser bolted on), and probably won't interact well with other extensions.
Of these, #3 seems the least bad to me. But maybe someone else has a better idea.
Version: master
Severity: normal