Page MenuHomePhabricator

Enable unsanitized CSS namespaces
Open, Needs TriagePublicFeature


Feature summary (what you would like to be able to do and where):

Permit interface administrators to add any (unsanitized) custom CSS into MediaWiki HTML head by editing a wiki page in the MediaWiki: namespace. For example, adding the following into HTML head is desired:

<link rel="stylesheet" href="/w/index.php?title=MediaWiki:SiteSpecific.css&action=raw&ctype=text/css&css-extension=1"/>

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

For example, deploying a custom header and menu. (showcase)

Benefits (why should this be implemented?):

Making MediaWiki CSS very customizable. The advantage of this is that it's getting load early in HTML head and almost anything can be customized in CSS. Easily edited by interface administrators in the MediaWiki: namespace. (Also beautiful thanks to Extension:CodeEditor.)

Without this, for example, CSS instruction background-image cannot be used. This is only possible if MediaWiki parser's CSS sanitization is disabled.


  • MediaWiki:Common.CSS and use unsanitized CSS such as background-image there, but applies to all pages. Not possible to selectively use CSS on some wiki pages only.
  • MediaWiki custom skin development: Seems much more complex, difficult, needs more knowledge on MediaWiki's internals and PHP.

Solution Suggestion:

Could you please add a feature $wgCSSNotSanitizedNamespaceIDs to Extension:CSS (MediaWiki-extensions-CSS)?

It could be configured using variable $wgCSSNotSanitizedNamespaceIDs or so.

Sample use case, LocalSettings.php:

wfLoadExtension( 'CSS' );
## 8 - namespace: MediaWiki
$wgCSSNotSanitizedNamespaceIDs = array( 8 );

wiki markup:


Wiki page MediaWiki:SiteSpecific.css would contain the unsanitized CSS.

Security Impact:

The patch should be safe. It only changes the behavior of Extension:CSS when enabling $wgCSSNotSanitizedNamespaceIDs in MediaWiki LocalSettings.php. Furthermore, by using namespace MediaWiki: only interface administrators (editinterface user right) can modify files in that namespace. (reference: Manual:Administrators) Interface administrators could otherwise also edit MediaWiki:Common.CSS and use unsanitized CSS such as background-image there anyhow.