Page MenuHomePhabricator

RemexStripTagHandler should strip <style> contents
Closed, ResolvedPublic

Description

Sanitizer::stripAllTags() (implemented by RemexStripTagHandler) tends to be used by application code as a rough equivalent of Element.innerText, which causes bugs with TemplateStyles <styles> tags - the tag is stripped but the raw CSS is rendered as text. See e.g. T219138: TemplateStyles CSS appears in notification text. It should either behave somewhat along those lines and remove the contents of non-visual tags like <style> or <script>, or a separate utility should be available for that purpose.

Event Timeline

Change 749282 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/core@master] Make Sanitizer::stripAllTags() strip css and js tag contents

https://gerrit.wikimedia.org/r/749282

TheDJ triaged this task as Low priority.

Change 749282 merged by jenkins-bot:

[mediawiki/core@master] Make Sanitizer::stripAllTags() strip css and js tag contents

https://gerrit.wikimedia.org/r/749282