Page MenuHomePhabricator

Respect $wgAllowImageTag wiki configuration flag in the Sanitizer
Closed, DeclinedPublic

Description

Parsoid doesn't respect the $wgAllowImageTag wiki configuration flag and unconditionally renders image tags as text. This came up in a wikitech-l discussion thread. Since Parsoid already fetches the wiki config, fixing this should simply be a matter of updating the list of whitelisted tags.

Event Timeline

ssastry created this task.Feb 23 2016, 10:05 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 23 2016, 10:05 PM

Looks like wgAllowImageTag is not exported in the wikiconfig. So, this is a bit more involved than being simply a Parsoid-side omission.

Arlolra triaged this task as Low priority.Apr 12 2016, 10:53 PM

What would be involved in making this fix?

For the last year I've had to modify Parsoid manually to make external images show.

In WikitextConstants.js line 302 there's JSUtils.deepFreeze(WikitextConstants);. I've been adding a line like WikitextConstants.Sanitizer.TagWhiteList.add( "IMG" ); above that.

Is there a cleaner way I can do this, such that I don't have to modify Parsoid? Somewhere I can make a similar change in a config file like localsettings.js?

@Jamesmontalvo3 The first step is described in T127884#2058682. There needs to be a patch to MediaWiki's action api to expose that setting in a siteinfo request.

Something like, https://github.com/wikimedia/mediawiki/commit/2c5550781472f65c09a884f50eb5aaa47250d572

Like this?

$ git diff
diff --git a/includes/api/ApiQuerySiteinfo.php b/includes/api/ApiQuerySiteinfo.php
index a08740a..2907089 100644
--- a/includes/api/ApiQuerySiteinfo.php
+++ b/includes/api/ApiQuerySiteinfo.php
@@ -152,6 +152,8 @@ class ApiQuerySiteinfo extends ApiQueryBase {

                $allowFrom = [ '' ];
                $allowException = true;
+               $data['allowimagetag'] = $config->get( 'AllowImageTag' );
+               $data[ApiResult::META_BC_BOOLS][] = 'allowimagetag';
                if ( !$config->get( 'AllowExternalImages' ) ) {
                        $data['imagewhitelistenabled'] = (bool)$config->get( 'EnableImageWhitelist' );
                        $allowFrom = $config->get( 'AllowExternalImagesFrom' );

Looks reasonable at first glance ... but please submit a patch in gerrit https://www.mediawiki.org/wiki/Gerrit/Getting_started

<soapbox>Gerrit needs to be easier to access from behind restrictive firewalls</soapbox>

Okay will do...

cscott added a subscriber: cscott.May 6 2017, 4:14 PM

<soapbox>Gerrit needs to be easier to access from behind restrictive firewalls</soapbox>

While it's not a very convenient workaround, https://tools.wmflabs.org/gerrit-patch-uploader/ can be used to submit a patch if your firewall blocks port 29418.

ssastry moved this task from Needs Triage to Read Views on the Parsoid board.Jan 11 2018, 9:24 PM
Reedy edited projects, added Parsoid-Read-Views; removed Parsoid.Sep 17 2018, 7:25 PM
Aklapper edited projects, added Parsoid; removed Parsoid-Read-Views.Feb 29 2020, 5:14 PM