Enable unsanitized CSS namespaces
Open, Needs TriagePublicFeature
Actions

Assigned To

Authored By

	Kizule
	Feb 2 2022, 8:03 AM

Description

Feature summary (what you would like to be able to do and where):

Permit interface administrators to add any (unsanitized) custom CSS into MediaWiki HTML head by editing a wiki page in the MediaWiki: namespace. For example, adding the following into HTML head is desired:

<link rel="stylesheet" href="/w/index.php?title=MediaWiki:SiteSpecific.css&action=raw&ctype=text/css&css-extension=1"/>

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

For example, deploying a custom header and menu. (showcase)

Benefits (why should this be implemented?):

Making MediaWiki CSS very customizable. The advantage of this is that it's getting load early in HTML head and almost anything can be customized in CSS. Easily edited by interface administrators in the MediaWiki: namespace. (Also beautiful thanks to Extension:CodeEditor.)

Without this, for example, CSS instruction background-image cannot be used. This is only possible if MediaWiki parser's CSS sanitization is disabled.

Non-Solutions:

MediaWiki:Common.CSS and use unsanitized CSS such as background-image there, but applies to all pages. Not possible to selectively use CSS on some wiki pages only.
MediaWiki custom skin development: Seems much more complex, difficult, needs more knowledge on MediaWiki's internals and PHP.

Solution Suggestion:

Could you please add a feature $wgCSSNotSanitizedNamespaceIDs to Extension:CSS (MediaWiki-extensions-CSS)?

It could be configured using variable $wgCSSNotSanitizedNamespaceIDs or so.

Sample use case, LocalSettings.php:

wfLoadExtension( 'CSS' );
## 8 - namespace: MediaWiki
$wgCSSNotSanitizedNamespaceIDs = array( 8 );

wiki markup:

{{#css:MediaWiki:SiteSpecific.css}}

Wiki page MediaWiki:SiteSpecific.css would contain the unsanitized CSS.

Security Impact:

The patch should be safe. It only changes the behavior of Extension:CSS when enabling $wgCSSNotSanitizedNamespaceIDs in MediaWiki LocalSettings.php. Furthermore, by using namespace MediaWiki: only interface administrators (editinterface user right) can modify files in that namespace. (reference: Manual:Administrators) Interface administrators could otherwise also edit MediaWiki:Common.CSS and use unsanitized CSS such as background-image there anyhow.

Details

	Subject	Repo	Branch	Lines +/-
	Enable unsanitized CSS namespaces	mediawiki/extensions/CSS	master	+10 -1

Customize query in gerrit

Related Objects

Mentioned In: T8883: Allow page-specific inclusion of <script>s, etc. in header
Mentioned Here: T8883: Allow page-specific inclusion of <script>s, etc. in header
T37820: [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer

Event Timeline

Kizule created this task.Feb 2 2022, 8:03 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 2 2022, 8:03 AM

Kizule claimed this task.Feb 2 2022, 8:03 AM

Restricted Application added a project: User-Kizule. · View Herald TranscriptFeb 2 2022, 8:03 AM

Kizule moved this task from Inbox to To deploy on the User-Kizule board.Feb 2 2022, 8:04 AM

Change 759196 had a related patch set uploaded (by Zoranzoki21; author: Zoranzoki21):

[mediawiki/extensions/CSS@master] Add $wgCSSNotSanitizedNamespaceIDs

https://gerrit.wikimedia.org/r/759196

gerritbot added a project: Patch-For-Review.Feb 2 2022, 8:08 AM

Kizule updated the task description. (Show Details)Feb 2 2022, 8:13 AM

T37820: [CSS] Some CSS stripped by MediaWiki parser CSS sanitizer is similar task.

This seems a lot like T8883 - which was basically WONTFIXED

adrelanos subscribed.Feb 23 2022, 8:35 AM

Aklapper edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Apr 12 2024, 11:13 AM

@Kizule: Removing task assignee as this open task has been assigned for more than two years - see the email sent to all task assignees on 2024-04-15.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome! :)
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

In T300704#9806017, @Aklapper wrote:

@Kizule: Removing task assignee as this open task has been assigned for more than two years - see the email sent to all task assignees on 2024-04-15.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome! :)
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

I took over this again, I forgot to assign myself back. But thanks for keeping Phabricator a nice place. :)

Change #759196 abandoned by Zoranzoki21:

[mediawiki/extensions/CSS@master] Enable unsanitized CSS namespaces

Reason:

It looks like that the recent patch broke my logic, I'm going to start from zero.

https://gerrit.wikimedia.org/r/759196

Change #759196 restored by Zoranzoki21:

[mediawiki/extensions/CSS@master] Enable unsanitized CSS namespaces

https://gerrit.wikimedia.org/r/759196

gerritbot added a project: Patch-For-Review.Nov 17 2024, 4:23 PM

Restricted Application removed a project: Patch-Needs-Improvement. · View Herald TranscriptNov 17 2024, 4:23 PM