Page MenuHomePhabricator

Decide if $wgRawHtml is needed, and if so, necessary mitigations
Closed, ResolvedPublic

Description

Also forking from T246949: Security Review Request for WikimediaApiPortal Skin

Whether $wgUseRawHtml is actually needed going forward should be decided, and if so, how the risks associated with it will be mitigaged on an SUL wiki

/**
 * Allow raw, unchecked HTML in "<html>...</html>" sections.
 * THIS IS VERY DANGEROUS on a publicly editable site, so USE $wgGroupPermissions
 * TO RESTRICT EDITING to only those that you trust
 */
$wgRawHtml = false;

While editing is going to be restricted (in some NS), it's not going to be restricted in all NS. So some mitigation will be needed if the wiki is deployed with $wgRawHtml = true;

Event Timeline

Reedy created this task.Jul 29 2020, 3:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 29 2020, 3:09 PM
apaskulin closed this task as Resolved.Aug 31 2020, 8:57 PM
apaskulin claimed this task.
apaskulin added a subscriber: apaskulin.

I don't think we'll need $wgUseRawHtml going forward, so I'm going to resolve this task. I'll re-open in case something comes up, but I think it's unlikely. Thanks, @Reedy!