Page MenuHomePhabricator
Create Task
Maniphest T34154

Extension:CSS does not sanitize CSS from article pages
Closed, ResolvedPublic
Actions

Description

Author: GICodeWarrior

Description:
The extension should add a custom URL parameter to the link and hook into RawPageViewBeforeOutput to sanitize CSS requests with that parameter.

Inline CSS is already sanitized, and "external" files can't/shouldn't be sanitized. However, the same custom URL parameter must be appended to "external" includes so if they are actually referencing wiki pages, they will be sanitized appropriately.

"external" URLs should also be expanded and verified to be inside the base (to prevent "../../").

Version: unspecified
Severity: normal

Details

Reference
bz32154
TitleReferenceAuthorSource BranchDest Branch
Publish docs on doc.wikimedia.orgrepos/mwbot-rs/toolforge!12legoktmdocsmain
Don't clobber docpub's after_scriptrepos/mwbot-rs/rust-ci-pipeline!9legoktmfix-docsmain
Publish docs to doc.wikimedia.orgrepos/mwbot-rs/mwbot!48legoktmdocsmain
Publish docs to doc.wikimedia.orgrepos/mwbot-rs/rust-ci-pipeline!7legoktmdocsmain
Add mwbot-rs repositories to allowed_projectsrepos/releng/docpub!2legoktmlegoktm-main-patch-37581main
Customize query in GitLab

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:08 AM
bzimport added a project: MediaWiki-extensions-CSS.
bzimport set Reference to bz32154.
bzimport created this task.Nov 2 2011, 9:01 PM
bzimport added a comment.Nov 3 2011, 2:59 AM

GICodeWarrior wrote:

I also need to turn the inline styles into a link tag to eliminate any injection possibility there.

bzimport added a comment.Nov 20 2011, 7:41 PM

GICodeWarrior wrote:

Should be taken care of in r103771.

Platonides added a comment.Nov 20 2011, 10:32 PM

I don0t think goign through javascript would be needed.

bzimport added a comment.Nov 20 2011, 10:51 PM

GICodeWarrior wrote:

(In reply to comment #3)

I don0t think goign through javascript would be needed.

Care to elaborate?

Platonides added a comment.Nov 22 2011, 11:02 PM

We have code for CSS sanitizing in other parts of MediaWiki, the CSSMin class is able to remap and datify css urls... I'm not an expert with that part, but I think the needed pieces should be there.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL