Page MenuHomePhabricator
Create Task
Maniphest T228856

RemexStripTagHandler should strip <style> contents
Closed, ResolvedPublic
Actions

Description

Sanitizer::stripAllTags() (implemented by RemexStripTagHandler) tends to be used by application code as a rough equivalent of Element.innerText, which causes bugs with TemplateStyles <styles> tags - the tag is stripped but the raw CSS is rendered as text. See e.g. T219138: TemplateStyles CSS appears in notification text. It should either behave somewhat along those lines and remove the contents of non-visual tags like <style> or <script>, or a separate utility should be available for that purpose.

Details

ProjectBranchLines +/-Subject
mediawiki/coremaster+35 -1Make Sanitizer::stripAllTags() strip css and js tag contents
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Jul 24 2019, 11:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 24 2019, 11:46 AM
Tgr added a parent task: T219138: TemplateStyles CSS appears in notification text.Jul 24 2019, 11:47 AM
Tgr mentioned this in T219138: TemplateStyles CSS appears in notification text.
matmarex added a subscriber: matmarex.Mar 8 2020, 10:46 AM
Pikne mentioned this in T226279: Map title not shown on fr.wp but local CSS code.Mar 18 2020, 5:48 PM
Izno added a subscriber: Izno.Feb 15 2021, 8:04 AM
gerritbot added a comment.Dec 21 2021, 11:29 PM

Change 749282 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/core@master] Make Sanitizer::stripAllTags() strip css and js tag contents

https://gerrit.wikimedia.org/r/749282

gerritbot added a project: Patch-For-Review.Dec 21 2021, 11:29 PM
TheDJ claimed this task.Dec 21 2021, 11:30 PM
TheDJ triaged this task as Low priority.
gerritbot added a comment.Dec 23 2021, 12:44 PM

Change 749282 merged by jenkins-bot:

[mediawiki/core@master] Make Sanitizer::stripAllTags() strip css and js tag contents

https://gerrit.wikimedia.org/r/749282

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.16; 2022-01-03).Dec 23 2021, 1:00 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 23 2021, 1:11 PM
matmarex closed this task as Resolved.Dec 24 2021, 12:11 AM
matmarex added a project: MediaWiki-General.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL