Page MenuHomePhabricator
Create Task
Maniphest T248211

One Sanitizer to Rule Them All
Open, Needs TriagePublic
Actions

Description

We seem to have a number of slightly-different sanitizers floating around:

I'd like to better understand the different use cases here and try to come up with one or two implementations we can all agree on, assuming that we're all trying to do the same thing. I'd like to avoid divergence and corner case bugs where some sanitizers let things through which others don't, which could even result in security issues in the worst case scenarios. Further, we periodically allow new 'safe' attributes through into wikitext, like T247910: MediaWiki should allow setting tabindex="0" on elements in wikitext; we need to determine what the appropriate mechanisms are to keep the various sanitizers in sync.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT248211 One Sanitizer to Rule Them All
 OpenNoneT247804 Move Sanitizer from core into Parsoid
 ResolvedGoalcscottT239660 Integrate Parsoid/PHP with core as a composer library
 ResolvedcscottT213494 Installing composer modules for deployment
 ResolvedcscottT240054 Move top level namespace from Parsoid to Wikimedia\Parsoid
 ResolvedcscottT240055 Craft a deployment strategy to transition Parsoid/PHP from a faux extension to a composer library without breaking incoming requests
 ResolvedDzahnT245877 Give all members of the Parsing team production `deployment` access ( add arlolra to deployers)
 DeclinedJdforrester-WMFT245886 Create /srv/mediawiki/parsoid-vendor on production MW appservers, a check out of vendor.git's parsoid branch
 ResolvedJdforrester-WMFT246854 Replace deployment-mediawiki-parsoid10 with a "purer" deployment-parsoid11 box
 ResolvedJdforrester-WMFT247147 Puppet fails on Beta Cluster because "did not find a value for the name 'profile::envoy::ensure'"
 ResolvedKrenairT246937 deployment-puppetmaster04 disc use exploding
ResolvedKrenairT247151 Puppet fails on Beta Cluster because Safe_service_restart is expecting lvs_services set though `has_lvs: false`
 ResolvedDzahnT247480 Sync parsoid11 config from Horizon back to puppet git
 ResolvedKrenairT247545 Fix scap on deployment-parsoid11
 ResolvedcscottT247589 Parsoid-PHP should be publicly accessible in beta
 OpenNoneT204279 Fine-grained Sanitizer control
 OpenNoneT295168 Ensure <meta typeof="..."> in Parser/Parsoid HTML can't be spoofed from wikitext

Event Timeline

cscott created this task.Mar 20 2020, 11:48 PM
Restricted Application added a project: Product-Infrastructure-Team-Backlog-Deprecated. · View Herald TranscriptMar 20 2020, 11:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Mholloway edited projects, added Page Content Service; removed Mobile-Content-Service.Mar 21 2020, 1:04 AM
Mholloway subscribed.
ssastry updated the task description. (Show Details)Mar 21 2020, 3:31 PM
ssastry moved this task from Needs Triage to Future Ideas on the Parsoid board.Mar 22 2020, 9:37 PM
JTannerWMF added a project: Editing-team (Tracking).Mar 24 2020, 3:13 PM
JTannerWMF subscribed.

It seems there is nothing actionable for our team at this moment but we can keep an eye on it.

JTannerWMF moved this task from Backlog to External on the Editing-team (Tracking) board.Mar 24 2020, 3:14 PM
JTannerWMF moved this task from To Triage to Triaged on the VisualEditor board.
LGoto moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.Mar 25 2020, 3:44 PM
Pginer-WMF moved this task from Needs Triage to Upstream/Other teams on the ContentTranslation board.Mar 30 2020, 8:35 AM
cscott added a subtask: T247804: Move Sanitizer from core into Parsoid.Jul 16 2020, 6:29 PM
cscott mentioned this in T247804: Move Sanitizer from core into Parsoid.Jan 25 2021, 2:19 PM
cscott mentioned this in T295168: Ensure <meta typeof="..."> in Parser/Parsoid HTML can't be spoofed from wikitext.Nov 5 2021, 3:54 PM
cscott added a subtask: T295168: Ensure <meta typeof="..."> in Parser/Parsoid HTML can't be spoofed from wikitext.Nov 5 2021, 4:01 PM
Izno subscribed.Nov 5 2021, 4:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits