InputBox extension not producing valid XHTML
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Jan 27 2007, 7:32 PM

Description

Author: buzz

Description:
The input box does not produce xhtml strict markup. Attached is a patch
which removes the tables, stops mediawiki inserting <p></p> into the form
and breaking validation and a conversion of the bgcolor="" to style="" and
allowing styles to be passed into the extension.

I read on another bug that my style change could lead to a cross site
javascript vulnerability? But wouldn't this also be the case for bgcolor?

Anyway.. this patch works for me. Feel free to improve any potential
problems

Version: unspecified
Severity: normal
OS: other
Platform: Other

Details

Reference: bz8795

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:33 PM

• bzimport added a project: MediaWiki-extensions-InputBox.

• bzimport set Reference to bz8795.

• bzimport added a subscriber: Unknown Object (MLST).

• bzimport created this task.Jan 27 2007, 7:32 PM

buzz wrote:

Patch for inputbox

Attached:

inputbox.diff4 KBDownload

MediaWiki does not use XHTML Strict, but Transitional.

ayg wrote:

Unquoted attributes aren't valid there, either (indeed, IIRC they aren't even valid in HTML 4
except for numbers). The rest of the patch is still INVALID, though.

By the way, the issue with allowing arbitrary style on elements is that IE will accept
JavaScript in CSS, as I understand it. It also allows offsite background-images, which we tend
to frown on in MediaWiki.

ayg wrote:

Should be valid XHTML Transitional as of r19729.

	F3606: inputbox.diff
	Nov 21 2014, 9:33 PM

InputBox extension not producing valid XHTMLClosed, ResolvedPublicActions

Description

Details

Event Timeline

InputBox extension not producing valid XHTML
Closed, ResolvedPublic
Actions