Page MenuHomePhabricator
Create Task
Maniphest T224445

Permit hidden attribute in Sanitizer
Open, Needs TriagePublic
Actions

Description

I think we should allow setting [[ https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/hidden | hidden attribute ]] on elements from wiki code. It is a stable part of HTML5 spec that shouldn’t have any security holes as it’s just applying display: none; styling from a browser. Given that we are not disallowing people from writing style="display:none;", it doesn’t make sense to disallow writing, essentially, a shorter form of this.

My use case (and how I found it):
https://ru.wikipedia.org/?diff=100071354&oldid=99010410

Relevant code:
https://phabricator.wikimedia.org/source/mediawiki/browse/master/includes/parser/Sanitizer.php$1760

This is similar to T145002 / T204618

Related Objects

Event Timeline

stjn created this task.May 27 2019, 8:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2019, 8:45 PM
SerDIDG subscribed.May 27 2019, 8:53 PM
Jcross removed a project: Security-Team.Oct 4 2019, 4:21 PM
Jcross subscribed.

Upon review, Security Team is untagging as we will not be working on this ticket.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL