Page MenuHomePhabricator

Respect $wgAllowImageTag wiki configuration flag in the Sanitizer
Closed, DeclinedPublic


Parsoid doesn't respect the $wgAllowImageTag wiki configuration flag and unconditionally renders image tags as text. This came up in a wikitech-l discussion thread. Since Parsoid already fetches the wiki config, fixing this should simply be a matter of updating the list of whitelisted tags.

Event Timeline

Looks like wgAllowImageTag is not exported in the wikiconfig. So, this is a bit more involved than being simply a Parsoid-side omission.

What would be involved in making this fix?

For the last year I've had to modify Parsoid manually to make external images show.

In WikitextConstants.js line 302 there's JSUtils.deepFreeze(WikitextConstants);. I've been adding a line like WikitextConstants.Sanitizer.TagWhiteList.add( "IMG" ); above that.

Is there a cleaner way I can do this, such that I don't have to modify Parsoid? Somewhere I can make a similar change in a config file like localsettings.js?

@Jamesmontalvo3 The first step is described in T127884#2058682. There needs to be a patch to MediaWiki's action api to expose that setting in a siteinfo request.

Something like,

Like this?

$ git diff
diff --git a/includes/api/ApiQuerySiteinfo.php b/includes/api/ApiQuerySiteinfo.php
index a08740a..2907089 100644
--- a/includes/api/ApiQuerySiteinfo.php
+++ b/includes/api/ApiQuerySiteinfo.php
@@ -152,6 +152,8 @@ class ApiQuerySiteinfo extends ApiQueryBase {

                $allowFrom = [ '' ];
                $allowException = true;
+               $data['allowimagetag'] = $config->get( 'AllowImageTag' );
+               $data[ApiResult::META_BC_BOOLS][] = 'allowimagetag';
                if ( !$config->get( 'AllowExternalImages' ) ) {
                        $data['imagewhitelistenabled'] = (bool)$config->get( 'EnableImageWhitelist' );
                        $allowFrom = $config->get( 'AllowExternalImagesFrom' );

Looks reasonable at first glance ... but please submit a patch in gerrit

<soapbox>Gerrit needs to be easier to access from behind restrictive firewalls</soapbox>

Okay will do...

<soapbox>Gerrit needs to be easier to access from behind restrictive firewalls</soapbox>

While it's not a very convenient workaround, can be used to submit a patch if your firewall blocks port 29418.