Project Information
- Name of tool/project: TemplateStyles / css-sanitizer
- Project home page: https://www.mediawiki.org/wiki/Css-sanitizer / https://gerrit.wikimedia.org/g/css-sanitizer/
- Name of team requesting review: Content-Transform-Team (on behalf of Web team)
- Primary contact: @cscott, @Jdlrobson
- Target date for deployment: April 22 or so?
- Link to code repository / patchset: https://github.com/wikimedia/css-sanitizer/compare/v5.1.0...v5.3.0
- Link to scc output for general sizing of codebases (https://github.com/boyter/scc):
Description of the tool/project:
The css-sanitizer library is used to sanitizer user-generated CSS code for the TemplateStyles extension.
THIS IS A REQUEST FOR AN INCREMENTAL REVIEW, focused on the addition of CSS custom properties (https://www.w3.org/TR/css-variables-1/) to css-sanitizer. This was done in a set of patches beginning after release 5.1.0 of css-sanitizer; therefore review of the patches from the 5.1.0 tag to 5.3.0 is sufficient.
I (@cscott) am requesting the review because although the implementation looks relatively safe to me, I don't have strong confidence that I understand CSS-based attacks well enough to be confident I'm thinking about the right threats. Some additional discussion in T361934#9692764.
Description of how the tool will be used at WMF:
See above; also T360562: CSS sanitizer should support using CSS variables (not setting/creating them) for use in color values in TemplateStyles and T361934: Support CSS variable fallbacks in template styles.
This version of css-sanitizer was deployed to mediawiki-vendor on April 23 (https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/1021567) and so will be live in production starting the week of April 30.
Dependencies
wikimedia/utfnormal; wikimedia/scoped-callback
Has this project been reviewed before?
Yes: T133408#2362073
Working test environment
composer test
See in particular testSecurity in tests/Sanitizer/SanitizerTest.php which has a few security-related checks that I came up with.
TemplateStyles is live in production, currently with wikimedia/css-sanitizer at version 5.2.0, but moving to version 5.3.0 on the 1.43.0-wmf.3 train.
Post-deployment
Web team, @Jdlrobson for the custom properties feature.
I think Content-Transform-Team is technically the maintainers of the TemplateStyles extension and by extension the css-sanitizer library; @cscott is the Tech Lead.