Change Details

**Project Information ** * Name of tool/project: TemplateStyles / css-sanitizer * Project home page: https://www.mediawiki.org/wiki/Css-sanitizer / https://gerrit.wikimedia.org/g/css-sanitizer/ * Name of team requesting review: #content-transform-team (on behalf of Web team) * Primary contact: @cscott, @Jdlrobson * Target date for deployment: April 22 or so? * Link to code repository / patchset: https://github.com/wikimedia/css-sanitizer/compare/v5.1.0...master * Link to scc output for general sizing of codebases (https://github.com/boyter/scc): {F44676874} **Description of the tool/project: ** The css-sanitizer library is used to sanitizer user-generated CSS code for the TemplateStyles extension. **THIS IS A REQUEST FOR AN INCREMENTAL REVIEW**, focused on the addition of CSS custom properties (https://www.w3.org/TR/css-variables-1/) to css-sanitizer. This was done in a set of patches beginning after release 5.1.0 of css-sanitizer; therefore review of the patches from the 5.1.0 tag to `master` is sufficient. I (@cscott) am requesting the review because although the implementation looks relatively safe to me, I don't have strong confidence that I understand CSS-based attacks well enough to be confident I'm thinking about the right threats. Some additional discussion in T361934#9692764. **Description of how the tool will be used at WMF:** See above; also {T360562} and {T361934}. **Dependencies** wikimedia/utfnormal; wikimedia/scoped-callback **Has this project been reviewed before?** Yes: T133408#2362073 **Working test environment** `composer test` See in particular `testSecurity` in `tests/Sanitizer/SanitizerTest.php` which has a few security-related checks that I came up with. TemplateStyles is live in production, currently at version 5.2.0, but I'm considering backing it down to 5.1.0 (before the custom property support was added) pending the outcome of the security review. **Post-deployment** Web team, @Jdlrobson for the custom properties feature. I think #content-transform-team is technically the maintainers of the TemplateStyles extension and by extension the css-sanitizer library; @cscott is the Tech Lead.

**Project Information ** * Name of tool/project: TemplateStyles / css-sanitizer * Project home page: https://www.mediawiki.org/wiki/Css-sanitizer / https://gerrit.wikimedia.org/g/css-sanitizer/ * Name of team requesting review: #content-transform-team (on behalf of Web team) * Primary contact: @cscott, @Jdlrobson * Target date for deployment: April 22 or so? * Link to code repository / patchset: https://github.com/wikimedia/css-sanitizer/compare/v5.1.0...v5.3.0 * Link to scc output for general sizing of codebases (https://github.com/boyter/scc): {F44676874} **Description of the tool/project: ** The css-sanitizer library is used to sanitizer user-generated CSS code for the TemplateStyles extension. **THIS IS A REQUEST FOR AN INCREMENTAL REVIEW**, focused on the addition of CSS custom properties (https://www.w3.org/TR/css-variables-1/) to css-sanitizer. This was done in a set of patches beginning after release 5.1.0 of css-sanitizer; therefore review of the patches from the 5.1.0 tag to 5.3.0 is sufficient. I (@cscott) am requesting the review because although the implementation looks relatively safe to me, I don't have strong confidence that I understand CSS-based attacks well enough to be confident I'm thinking about the right threats. Some additional discussion in T361934#9692764. **Description of how the tool will be used at WMF:** See above; also {T360562} and {T361934}. This version of css-sanitizer was deployed to mediawiki-vendor on April 23 (https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/1021567) and so will be live in production starting the week of April 30. **Dependencies** wikimedia/utfnormal; wikimedia/scoped-callback **Has this project been reviewed before?** Yes: T133408#2362073 **Working test environment** `composer test` See in particular `testSecurity` in `tests/Sanitizer/SanitizerTest.php` which has a few security-related checks that I came up with. TemplateStyles is live in production, currently with wikimedia/css-sanitizer at version 5.2.0, but moving to version 5.3.0 on the 1.43.0-wmf.3 train. **Post-deployment** Web team, @Jdlrobson for the custom properties feature. I think #content-transform-team is technically the maintainers of the TemplateStyles extension and by extension the css-sanitizer library; @cscott is the Tech Lead.

**Project Information ** * Name of tool/project: TemplateStyles / css-sanitizer * Project home page: https://www.mediawiki.org/wiki/Css-sanitizer / https://gerrit.wikimedia.org/g/css-sanitizer/ * Name of team requesting review: #content-transform-team (on behalf of Web team) * Primary contact: @cscott, @Jdlrobson * Target date for deployment: April 22 or so? * Link to code repository / patchset: https://github.com/wikimedia/css-sanitizer/compare/v5.1.0...masterv5.3.0 * Link to scc output for general sizing of codebases (https://github.com/boyter/scc): {F44676874} **Description of the tool/project: ** The css-sanitizer library is used to sanitizer user-generated CSS code for the TemplateStyles extension. **THIS IS A REQUEST FOR AN INCREMENTAL REVIEW**, focused on the addition of CSS custom properties (https://www.w3.org/TR/css-variables-1/) to css-sanitizer. This was done in a set of patches beginning after release 5.1.0 of css-sanitizer; therefore review of the patches from the 5.1.0 tag to `master`5.3.0 is sufficient. I (@cscott) am requesting the review because although the implementation looks relatively safe to me, I don't have strong confidence that I understand CSS-based attacks well enough to be confident I'm thinking about the right threats. Some additional discussion in T361934#9692764. **Description of how the tool will be used at WMF:** See above; also {T360562} and {T361934}. This version of css-sanitizer was deployed to mediawiki-vendor on April 23 (https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/1021567) and so will be live in production starting the week of April 30. **Dependencies** wikimedia/utfnormal; wikimedia/scoped-callback **Has this project been reviewed before?** Yes: T133408#2362073 **Working test environment** `composer test` See in particular `testSecurity` in `tests/Sanitizer/SanitizerTest.php` which has a few security-related checks that I came up with. TemplateStyles is live in production, currently with wikimedia/css-sanitizer at version 5.2.0, but I'm considering backing it down to 5.1.0 (before the custom property support was added) pending the outcome of the security reviewmoving to version 5.3.0 on the 1.43.0-wmf.3 train. **Post-deployment** Web team, @Jdlrobson for the custom properties feature. I think #content-transform-team is technically the maintainers of the TemplateStyles extension and by extension the css-sanitizer library; @cscott is the Tech Lead.