[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 --- Comment #6 from Quim Gil --- A new round of FOSS OPW is coming. Should we keep https://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Allowing_3rd_party_wiki_editors_to_run_more_CSS_features as a featured project? Meaning, does this project still make sense and are there mentors still available? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 MZMcBride changed: What|Removed |Added CC||b...@mzmcbride.com See Also|https://bugzilla.wikimedia. | |org/show_bug.cgi?id=57891 | --- Comment #5 from MZMcBride --- Bug 57891 is not an appropriate "see also"; removing. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820
Bawolff (Brian Wolff) changed:
What|Removed |Added
CC||bawolff...@gmail.com
--- Comment #4 from Bawolff (Brian Wolff) ---
>
> There are good reasons for the parser to strip some CSS out, but in addition
> to
> documenting this issue (which this bug does, and I'll do in the extension
> docs
> in a moment), it should be configurable whether the CSS extension lets the
> parser sanitize, for example, when used on private wikis.
The reason sanitizer doesn't let that through, is we don't want people to be
able to load external resources from inline css
*This could in theory be used as a DOS attack against somebody else if someone
put it on a popular page.
*It can be used to track users, and associate usernames with ip addresses (i.e.
have {{REVISIONUSER}} in the query string of the external resource.
(There could be other resons. Those two are just the two I know about)
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 Quim Gil changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=57891 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 --- Comment #3 from Chris Steipp --- (In reply to comment #1) > "The CSS extension relies on basic blacklisting functionality in MediaWiki > core > to prevent XSS. It would be great if a proper CSS parser [1] was integrated > and > a set of whitelists implemented to offer various levels of > capability/protection trade-offs. This sounds like a great project. I'd recommend looking at HTML Purifier's CSS rules as well, which would be great to integrate into either the extension, or core's CSS sanitization. > [1] https://github.com/sabberworm/PHP-CSS-Parser -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 --- Comment #2 from Quim Gil --- This project proposal is now featured at https://www.mediawiki.org/wiki/Outreach_Program_for_Women/Round_7 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 shondhi...@rocketmail.com changed: What|Removed |Added CC||shondhi...@rocketmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 Quim Gil changed: What|Removed |Added CC||cste...@wikimedia.org, ||q...@wikimedia.org --- Comment #1 from Quim Gil --- There is a proposal to improve Extension:CSS at http://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Improve_Extension:CSS Pasting the part related with security to get more feedback: "The CSS extension relies on basic blacklisting functionality in MediaWiki core to prevent XSS. It would be great if a proper CSS parser [1] was integrated and a set of whitelists implemented to offer various levels of capability/protection trade-offs. For example, some wikis may want all CSS selectors prefixed with "#mw-content-text" and properties like "position", etc. disabled to limit the effect of styles to the article content. Other sites may want everything except XSS-able properties/values." [1] https://github.com/sabberworm/PHP-CSS-Parser -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 35820] [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
https://bugzilla.wikimedia.org/show_bug.cgi?id=35820 Andre Klapper changed: What|Removed |Added Priority|Unprioritized |Normal -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
