Page MenuHomePhabricator
Create Task
Maniphest T288201

Re-enable var() in inline CSS
Open, In Progress, Needs TriagePublicFeature
Actions

Description

Feature summary
Since T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser was fixed by disabling var in inline CSS, the issue with browser crashes appears to have been fixed in Firefox, Chrome, modern Edge, and Opera.

Steps to reproduce (a list of clear steps to create the situation that made you report this, including full links if applicable):

Use case(s) (describe the actual underlying problem which you want to solve, and not only a solution):

  • some users like to use inline styling for templates. Adapting to different themes would be is easier using theme variables.

Details

SubjectRepoBranchLines +/-
Sanitizer: Don't consider inline var CSS insecuremediawiki/coremaster+0 -2
Sanitizer: Don't consider inline var CSS insecuremediawiki/coremaster+0 -1
Sanitizer: Don't consider inline var CSS insecuremediawiki/coremaster+0 -1
Customize query in gerrit

Related Objects

Event Timeline

Slayful created this task.Aug 5 2021, 8:50 AM
Restricted Application added a project: Internet-Archive. · View Herald TranscriptAug 5 2021, 8:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Slayful added a comment.Aug 5 2021, 8:50 AM

I can prepare a patch that reverts https://phabricator.wikimedia.org/T208881

Aklapper removed a project: Internet-Archive.Aug 5 2021, 8:53 AM
Peachey88 updated the task description. (Show Details)Aug 5 2021, 9:00 AM
gerritbot added a comment.Aug 5 2021, 12:56 PM

Change 710253 had a related patch set uploaded (by Slayful; author: Slayful):

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710253

gerritbot added a project: Patch-For-Review.Aug 5 2021, 12:56 PM
gerritbot added a comment.Aug 5 2021, 12:59 PM

Change 710254 had a related patch set uploaded (by Slayful; author: Slayful):

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710254

r subscribed.Aug 5 2021, 1:21 PM
ShakespeareFan00 mentioned this in T200632: Allow template parameters to provide CSS to a templatestyles stylesheet.Aug 5 2021, 10:32 PM
ShakespeareFan00 subscribed.Aug 5 2021, 10:35 PM
This comment was removed by ShakespeareFan00.
gerritbot added a comment.Aug 6 2021, 9:42 AM

Change 710253 abandoned by Slayful:

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

Reason:

Abandon in favour of https://gerrit.wikimedia.org/r/c/mediawiki/core/+/710254/

https://gerrit.wikimedia.org/r/710253

gerritbot added a comment.Aug 9 2021, 1:44 PM

Change 710972 had a related patch set uploaded (by Slayful; author: Slayful):

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710972

gerritbot added a comment.Aug 9 2021, 1:46 PM

Change 710254 abandoned by Slayful:

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

Reason:

Abandon in favour of https://gerrit.wikimedia.org/r/c/mediawiki/core/+/710972

https://gerrit.wikimedia.org/r/710254

Zabe mentioned this in T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser.Aug 9 2021, 6:24 PM
Izno subscribed.Sep 6 2021, 4:03 PM
ExE-Boss subscribed.Sep 19 2021, 11:00 PM
Slayful added a comment.Oct 6 2021, 3:49 PM

So can this be merged in? https://gerrit.wikimedia.org/r/c/mediawiki/core/+/710972/

Slayful changed the task status from Open to In Progress.Oct 6 2021, 3:49 PM
Pcj subscribed.Apr 14 2022, 1:28 AM
Gustmd7410 subscribed.Jun 20 2022, 7:52 PM
TerraCodes subscribed.Jul 6 2022, 7:51 AM
Wychmire subscribed.Jul 9 2022, 9:53 PM
Pols12 subscribed.Jul 16 2022, 1:54 PM
MarkusRost subscribed.Aug 1 2022, 4:35 PM
Slayful added a comment.Aug 19 2022, 10:01 AM

Gentle bump :)

Aklapper added a project: Platform Engineering.Aug 19 2022, 10:06 AM

2-liner patch waiting for review for 10 months - adding Platform Engineering.

gerritbot added a comment.Aug 24 2022, 7:37 AM

Change 710972 merged by jenkins-bot:

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710972

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.27; 2022-08-29).Aug 24 2022, 8:00 AM
Maintenance_bot removed a project: Patch-For-Review.Aug 24 2022, 8:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL