[09:44:42] <impartial-just>	 Is there a difference between ‘ ' in PHP?
[09:45:03] <Firefly_wp>	 There is in most languages - use the straight quotes, not the fancy curly ones
[09:47:39] <impartial-just>	 Thanks
[16:35:11] <legoktm>	 and backticks (https://www.php.net/manual/en/language.operators.execution.php) mean you want to shell out >.>
[16:41:05] <Firefly_wp>	 Which, by the way, you should almost never do!
[16:41:10] <Firefly_wp>	 :P
[16:42:19] <klausman>	 What you want is eval `$USER_INPUT`
[16:43:27] <Firefly_wp>	 Pls no
[16:47:46] * AntiComposite watches klausman get tackled by WMF Security
[16:48:48] <Lucas_WMDE>	 I was gonna say, I sure hope we have a PHPCS rule forbidding `backticks`
[16:49:34] <Firefly_wp>	 I hope you have shell_exec() disabled entirely!!
[17:17:37] <legoktm>	 Lucas_WMDE: we do :)
[17:17:50] <Lucas_WMDE>	 yay :)
[17:18:16] <Reedy>	 We use shell_exec() sparlingly
[17:18:39] <Lucas_WMDE>	 yeah, I saw the mw core .phpcs config has two exceptions for maintenance scripts that use it
[17:27:37] * Zppix tackles klausman 
[17:58:46] <Jdlrobson>	 I was surprised to see that ur.wikipedia.org loads code for addthis.com
[17:59:03] <Jdlrobson>	 There's a gadget that defaults to on for all logged in users
[17:59:06] <Jdlrobson>	 Is that not against our privacy policy, or is it assumed if you are logged in then the policy doesn't apply?  https://ur.wikipedia.org/wiki/%D9%85%DB%8C%DA%88%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Gadget-sharebox.js
[17:59:32] <Jdlrobson>	 https://ur.wikipedia.org/wiki/%D9%85%DB%8C%DA%88%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Gadgets-definition
[17:59:46] <Zppix>	 no expert but i would think so
[17:59:57] <Firefly_wp>	 Why would it need to load that?
[18:00:30] <Zppix>	 yeah i think that needs to be disabled probably
[18:00:43] <Zppix>	 i dont even feel comfortable being on urwiki 
[18:00:46] <Zppix>	 now
[18:03:36] <legoktm>	 Jdlrobson: it's a violation of our privacy policy, yes
[18:04:28] <Zppix>	 how did they manage it to get enabled for all logged in users
[18:04:38] <Zppix>	 isnt that something that has to be done in wmf-config
[18:05:43] <Reedy>	 No
[18:06:44] <Jdlrobson>	 legoktm: thanks for clarifying. There are a few other wikis loading it but not sure if it's default-on
[18:06:55] <Jdlrobson>	 i only noticed because it's throwing errors in our error logging tracking
[18:07:54] <legoktm>	 it should also be tripping the CSP error logging
[18:35:59] <Jdlrobson>	 do i need to report this anywhere?
[18:50:42] <AntiComposite>	 https://phabricator.wikimedia.org/T230124
[18:56:38] <bd808>	 I don't see sharebox being loaded by default on urwiki, at least for my account. There are many other default gadgets on urwiki, but that one appears to be opt-in
[18:57:09] <Jdlrobson>	 bd808: it seems to depend on user rights.
[18:57:48] <bd808>	 The definition of "sharebox[ResourceLoader|rights=createpage]|sharebox.js" does not include the "default" flag
[18:58:00] <bd808>	 ah... but rights
[18:59:30] <AntiComposite>	 rights=createpage
[18:59:32] <bd808>	 per docs, that flag means "Make the gadget available (and visible in preferences) only to users who have the specified privileges."
[19:00:17] <AntiComposite>	 that would make it functionally a noop, because Special:ListGroupRights says (all) has `createpage`