Maniphest T288201

Re-enable var() in inline CSS
Closed, ResolvedPublicFeature
Actions

Assigned To

Authored By

	Slayful
	Aug 5 2021, 8:50 AM

Tags

Referenced Files

None

Subscribers

View All 12 Subscribers

Description

Feature summary
Since T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser was fixed by disabling var in inline CSS, the issue with browser crashes appears to have been fixed in Firefox, Chrome, modern Edge, and Opera.

Steps to reproduce (a list of clear steps to create the situation that made you report this, including full links if applicable):

I believe http://web.archive.org/web/20190207030152/https://cras.sh/crash.html can be used to test for the issue - the “it’s working” message loads fine.

Use case(s) (describe the actual underlying problem which you want to solve, and not only a solution):

some users like to use inline styling for templates. Adapting to different themes would be is easier using theme variables.

Details

	Subject	Repo	Branch	Lines +/-
	Sanitizer: Don't consider inline var CSS insecure	mediawiki/core	master	+0 -2
	Sanitizer: Don't consider inline var CSS insecure	mediawiki/core	master	+0 -1
	Sanitizer: Don't consider inline var CSS insecure	mediawiki/core	master	+0 -1

Customize query in gerrit

Related Objects

Mentioned In: T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser
T200632: Allow template parameters to provide CSS to a templatestyles stylesheet
Mentioned Here: T200632: Allow template parameters to provide CSS to a templatestyles stylesheet
T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser

Event Timeline

Slayful created this task.Aug 5 2021, 8:50 AM

Restricted Application added a project: Internet-Archive. · View Herald TranscriptAug 5 2021, 8:50 AM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I can prepare a patch that reverts https://phabricator.wikimedia.org/T208881

Aklapper removed a project: Internet-Archive.Aug 5 2021, 8:53 AM

Peachey88 updated the task description. (Show Details)Aug 5 2021, 9:00 AM

Change 710253 had a related patch set uploaded (by Slayful; author: Slayful):

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710253

gerritbot added a project: Patch-For-Review.Aug 5 2021, 12:56 PM

Change 710254 had a related patch set uploaded (by Slayful; author: Slayful):

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710254

r subscribed.Aug 5 2021, 1:21 PM

ShakespeareFan00 mentioned this in T200632: Allow template parameters to provide CSS to a templatestyles stylesheet.Aug 5 2021, 10:32 PM

ShakespeareFan00 subscribed.Aug 5 2021, 10:35 PM

This comment was removed by ShakespeareFan00.

Change 710253 abandoned by Slayful:

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

Reason:

Abandon in favour of https://gerrit.wikimedia.org/r/c/mediawiki/core/+/710254/

https://gerrit.wikimedia.org/r/710253

Change 710972 had a related patch set uploaded (by Slayful; author: Slayful):

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710972

Change 710254 abandoned by Slayful:

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

Reason:

Abandon in favour of https://gerrit.wikimedia.org/r/c/mediawiki/core/+/710972

https://gerrit.wikimedia.org/r/710254

Zabe mentioned this in T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser.Aug 9 2021, 6:24 PM

Izno subscribed.Sep 6 2021, 4:03 PM

ExE-Boss subscribed.Sep 19 2021, 11:00 PM

So can this be merged in? https://gerrit.wikimedia.org/r/c/mediawiki/core/+/710972/

Slayful changed the task status from Open to In Progress.Oct 6 2021, 3:49 PM

Pcj subscribed.Apr 14 2022, 1:28 AM

Gustmd7410 subscribed.Jun 20 2022, 7:52 PM

TerraCodes subscribed.Jul 6 2022, 7:51 AM

Wychmire subscribed.Jul 9 2022, 9:53 PM

Pols12 subscribed.Jul 16 2022, 1:54 PM

MarkusRost subscribed.Aug 1 2022, 4:35 PM

Gentle bump :)

2-liner patch waiting for review for 10 months - adding Platform Engineering.

Change 710972 merged by jenkins-bot:

[mediawiki/core@master] Sanitizer: Don't consider inline var CSS insecure

https://gerrit.wikimedia.org/r/710972

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.27; 2022-08-29).Aug 24 2022, 8:00 AM

Maintenance_bot removed a project: Patch-For-Review.Aug 24 2022, 8:30 AM

I guess this is done?