Sanitizer::stripAllTags() (implemented by RemexStripTagHandler) tends to be used by application code as a rough equivalent of Element.innerText, which causes bugs with TemplateStyles <styles> tags - the tag is stripped but the raw CSS is rendered as text. See e.g. T219138: TemplateStyles CSS appears in notification text. It should either behave somewhat along those lines and remove the contents of non-visual tags like <style> or <script>, or a separate utility should be available for that purpose.
Description
Description
Details
Details
Project | Branch | Lines +/- | Subject | |
---|---|---|---|---|
mediawiki/core | master | +35 -1 | Make Sanitizer::stripAllTags() strip css and js tag contents |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | matmarex | T219138 TemplateStyles CSS appears in notification text | |||
Resolved | TheDJ | T228856 RemexStripTagHandler should strip <style> contents |
Event Timeline
Comment Actions
Change 749282 had a related patch set uploaded (by TheDJ; author: TheDJ):
[mediawiki/core@master] Make Sanitizer::stripAllTags() strip css and js tag contents
Comment Actions
Change 749282 merged by jenkins-bot:
[mediawiki/core@master] Make Sanitizer::stripAllTags() strip css and js tag contents