CSS sanitizer should support using CSS variables (not setting/creating them) for use in color values in TemplateStyles
Closed, ResolvedPublic5 Estimated Story Points
Actions

Assigned To

Authored By

	Jdlrobson
	Mar 20 2024, 6:31 PM

Description

Background

The CSS sanitizer doesn't allow CSS variables, which means that editors cannot follow our guidance on https://www.mediawiki.org/wiki/Recommendations_for_night_mode_compatibility_on_Wikimedia_wikis#Use_CSS_variables_or_CSS_design_tokens_with_fallback_for_background_and_text_where_possible

There is a broader request for CSS variables in T320322 but this is the minimum level of support we need to support night mode.

User story

As a template editor I want to use Codex design tokens for my CSS rules, so that they adapt to the night theme experience.

Requirements

I should be able to edit https://en.wikipedia.beta.wmflabs.org/w/index.php?title=Template:Tracked/styles.css and save the following text without receiving an error "Invalid or unsupported value for property background-color at line 7 character 21.

/* {{pp|small=y}} */
.tracked {
	float: right;
	clear: right;
	margin: 0 0 1em 1em;
	width: 12em;
	border: 1px solid var( --border-color-interactive );
	border-radius: 2px;
	background-color: var( --background-color-neutral );
	font-size: 85%;
	text-align: center;
	padding: 0.5em;
}

(for now) I should not be able to reassign or define CSS variables. e.g. the following should trigger an error:

:root {
  --color-base: red;
}
html.skin-theme-clientpref-os #shortcut 
	--color-base: red;
}

Sign off step

Update note on https://www.mediawiki.org/wiki/Recommendations_for_night_mode_compatibility_on_Wikimedia_wikis#Use_CSS_variables_or_CSS_design_tokens_with_fallback_for_background_and_text_where_possible

Details

Subject	Repo	Branch	Lines +/-
Handle custom properties in color attributes	css-sanitizer	master	+116 -1
chore(extensionDependencies): Update css-sanitizer from 5.1.0 to 5.2.0	mediawiki/extensions/TemplateStyles	master	+1 -1
Update CSS Sanitizer to 5.2.0	mediawiki/vendor	master	+140 -25

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open	Feature	None	T355244 Support Codex design tokens in TemplateStyles
Open	Feature	None	T320322 Support CSS variables in TemplateStyles
Resolved		Mabualruz	T360562 CSS sanitizer should support using CSS variables (not setting/creating them) for use in color values in TemplateStyles
Open	BUG REPORT	None	T359894 Module:Citation introduces accessibility issue (cs1-visible-error)
Resolved		Jdlrobson	T361934 Support CSS variable fallbacks in template styles

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Izno renamed this task from The CSS sanitizer should support CSS variables to CSS sanitizer should support using CSS variables (not setting/creating them).Mar 21 2024, 12:01 AM

Izno added a project: TemplateStyles.

Izno moved this task from Backlog to External (css-sanitizer) on the TemplateStyles board.

Izno moved this task from Unsorted to W3C Candidate Rec (or later) on the css-sanitizer board.

Maybe a duplicate of T355244.

ovasileva added a project: FY2023-24-WE 2.1 Typography and palette customizations.Mar 21 2024, 8:08 AM

Jdlrobson moved this task from Backlog to Night mode (mobile) on the FY2023-24-WE 2.1 Typography and palette customizations board.Mar 21 2024, 4:09 PM

We'd like to use this opportunity to knowledge share as @Mabualruz is the only member of the team comfortable with this code and this type of change.

Jdlrobson moved this task from Incoming to Ready for Development on the Web-Team-Backlog (FY2023-24 Q3 Sprint 6) board.Mar 21 2024, 5:57 PM

Jdlrobson renamed this task from CSS sanitizer should support using CSS variables (not setting/creating them) to CSS sanitizer should support using CSS variables (not setting/creating them) for use in TemplateStyles.Mar 21 2024, 8:50 PM

Jdlrobson merged a task: T355244: Support Codex design tokens in TemplateStyles.

Jdlrobson added a parent task: T296689: [EPIC] Address themeability needs for Codex components.

Jdlrobson added subscribers: Sophivorus, Escargot_rouge, Lofhi and 4 others.

I talked to @Catrope and we agreed that it is okay to fix this bug, but that there is a broader problem here at T340477 that needs to be solved before calling CSS design tokens "stable".

CCiufo-WMF merged a task: T320322: Support CSS variables in TemplateStyles.Mar 21 2024, 9:42 PM

CCiufo-WMF added subscribers: Push-f, SnorlaxMonster, Nardog and 14 others.

CCiufo-WMF edited parent tasks, added: T355244: Support Codex design tokens in TemplateStyles; removed: T296689: [EPIC] Address themeability needs for Codex components.Mar 21 2024, 9:45 PM

CCiufo-WMF mentioned this in T355244: Support Codex design tokens in TemplateStyles.Mar 21 2024, 9:58 PM

CCiufo-WMF mentioned this in T320322: Support CSS variables in TemplateStyles.Mar 21 2024, 10:06 PM

Btw, keep in mind that CSS variables can have a fallback like var( --color-base, #000 ), maybe that is a good thing to advise in the variable use so that dropping a certain token doesn’t cause too many problems.

Ack this is recommended in https://www.mediawiki.org/wiki/Recommendations_for_night_mode_compatibility_on_Wikimedia_wikis#Use_CSS_variables_or_CSS_design_tokens_with_fallback_for_background_and_text_where_possible as we roll out night theme which is where I suspect it will get initial adoption.

Jdlrobson added a subtask: T359894: Module:Citation introduces accessibility issue (cs1-visible-error).Mar 22 2024, 5:18 PM

Mabualruz claimed this task.Mar 27 2024, 8:16 AM

Mabualruz moved this task from Ready for Development to Doing on the Web-Team-Backlog (FY2023-24 Q3 Sprint 6) board.

Change #1014653 had a related patch set uploaded (by Mabualruz; author: Mabualruz):

[css-sanitizer@master] [WIP] Implement CustomPropertyMatcher for CSS Variable Handling

https://gerrit.wikimedia.org/r/1014653

gerritbot added a project: Patch-For-Review.Mar 27 2024, 1:02 PM

Blocked until I get a pairing partner to share knowledge and discuss next steps

Mabualruz removed Mabualruz as the assignee of this task.Fri, Mar 29, 9:13 AM

Mabualruz moved this task from Blocked on Others to Code Review on the Web-Team-Backlog (FY2023-24 Q3 Sprint 6) board.

Remaining Steps:

- Review and merge the css-sanitizer patch

- Update the version of css-sanitizer

How to update the version of css-sanitizer involves a process that typically follows these steps:

CSS Sanitizer Updates: When updates or enhancements are made to the CSS Sanitizer, these changes are committed and then tagged in the repository. This tagging is crucial for version management and indicates that a new stable version of the sanitizer is available.

Publishing to Packagist: The new version of the CSS Sanitizer needs to be published on Packagist, which is a repository for PHP packages. This makes the updated version available for use by other projects, including TemplateStyles.

Updating TemplateStyles: The TemplateStyles extension, which uses the CSS Sanitizer to ensure the CSS applied to MediaWiki templates is secure, must then update its composer.json file to require the new version of the CSS Sanitizer. This ensures that the extension benefits from the latest security and functionality improvements.

Testing and Deployment: After updating the dependency in TemplateStyles, thorough testing is recommended to ensure compatibility and that new features or security enhancements work as expected within the MediaWiki environment.

To locally test the TemplateStyles extension with changes from the CSS Sanitizer, follow this guide:

Place both css-sanitizer and TemplateStyles directories side by side in the same parent directory.
Open the composer.json file in the TemplateStyles directory.
Add the following to the composer.json to specify the local path of the CSS Sanitizer and set the version requirement to use the local development version:

"repositories": [
    {
        "type": "path",
        "url": "../css-sanitizer"
    }
],
"require": {
    "wikimedia/css-sanitizer": "@dev"
}

Run composer update in the TemplateStyles directory to apply the local CSS Sanitizer.

This setup will enable local development and testing with the CSS Sanitizer.

Change #1015447 had a related patch set uploaded (by Mabualruz; author: Mabualruz):

[mediawiki/extensions/TemplateStyles@master] Bump Template Styles Extension to 5.2.0

https://gerrit.wikimedia.org/r/1015447

Last step for deployment we need to update the `mediawiki/vendor` repository with the new version of the CSS Sanitizer after successful local tests:

- Visit the `mediawiki-vendor` repository page and check the `README.md` file for specific commands and procedures.

Typically, this involves submitting a patch with the updated composer.json and composer.lock files that reference the new version of the CSS Sanitizer, and updated vendor files to reference the new version/package.
Follow the repository's contribution guidelines for how to submit these changes for integration.

This process ensures that the new version is available for the broader MediaWiki ecosystem

Hey @cscott would you be able to code review another css sanitizer patch? If so thanks in advance, if not let us know how much time you need.

Jdlrobson added a parent task: T320322: Support CSS variables in TemplateStyles.Mon, Apr 1, 6:35 AM

Izno moved this task from W3C Candidate Rec (or later) to In Dev on the css-sanitizer board.Tue, Apr 2, 6:52 AM

Jdlrobson mentioned this in T359894: Module:Citation introduces accessibility issue (cs1-visible-error).Wed, Apr 3, 1:58 AM

Jdlrobson lowered the priority of this task from High to Medium.Wed, Apr 3, 11:00 AM

Reviewed https://gerrit.wikimedia.org/r/c/css-sanitizer/+/1014653 ; once that is updated and merges I can help release a new version of css-santizier -- that library really needs a HISTORY.md file to document its release history. The dependency in TemplateStyles is ~5.0.0 so it should probably get its composer.json updated to something like "wikimedia/css-sanitizer": "^5.1.0 || ^5.2.0" in preparation for a 5.2.0 release of css-sanitizer.

SToyofuku-WMF subscribed.Wed, Apr 3, 5:01 PM

Created https://gerrit.wikimedia.org/r/c/css-sanitizer/+/1016816 to add a HISTORY.md file for css-sanitizer.

Mabualruz moved this task from Blocked on Others to Code Review on the Web-Team-Backlog (FY2023-24 Q3 Sprint 6) board.Wed, Apr 3, 7:25 PM

Change #1014653 merged by jenkins-bot:

[css-sanitizer@master] Handle custom properties in color attributes

https://gerrit.wikimedia.org/r/1014653

cscott mentioned this in rCSSSc0cee4f78f12: Handle custom properties in color attributes.Wed, Apr 3, 9:56 PM

Reedy mentioned this in T361766: c0cee4f78f12d6266578f0c7071bdc399fbc7b62 reduced overall test coverage.Wed, Apr 3, 11:22 PM

Lofhi awarded a token.Thu, Apr 4, 7:58 AM

Change #1016381 had a related patch set uploaded (by Mabualruz; author: Mabualruz):

[mediawiki/vendor@master] Update CSS Sanitizer to 5.2.0

https://gerrit.wikimedia.org/r/1016381

Change #1016381 merged by jenkins-bot:

[mediawiki/vendor@master] Update CSS Sanitizer to 5.2.0

https://gerrit.wikimedia.org/r/1016381

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.26; 2024-04-09).Thu, Apr 4, 5:00 PM

Mabualruz reassigned this task from cscott to Edtadros.Thu, Apr 4, 5:54 PM

Mabualruz moved this task from Code Review to QA on the Web-Team-Backlog (FY2023-24 Q3 Sprint 6) board.

This doesn't appear to be working just yet. What did we miss?

Screenshot 2024-04-05 at 2.12.21 PM.png (1×2 px, 342 KB)

Jdlrobson reassigned this task from Edtadros to Mabualruz.Fri, Apr 5, 6:34 AM

Jdlrobson added a subscriber: Edtadros.

Change #1017080 had a related patch set uploaded (by Mabualruz; author: Mabualruz):

[css-sanitizer@master] feat(css-sanitizer): Improve color parsing var func fallback values

https://gerrit.wikimedia.org/r/1017080

Mabualruz moved this task from Needs More Work to Code Review on the Web-Team-Backlog (FY2023-24 Q3 Sprint 6) board.Fri, Apr 5, 12:01 PM

Jdlrobson added a subtask: T361934: Support CSS variable fallbacks in template styles.Fri, Apr 5, 12:04 PM

Due to a misunderstanding in requirements, we've added support for:

color: var( --color-base );

but not:

color: var( --color-base, #222; )

Community members can workaround this by using body.skin-minerva or wait until T361934 is completed. We are not going to get this fixed in a day so I've created T361934. For the community members subscribed to this ticket, very sorry about the delay here.

Jdlrobson closed this task as Resolved.Fri, Apr 5, 12:09 PM

Jdlrobson updated the task description. (Show Details)

I just had a discussion on slack with @cscott, about the new sub task and follow up work in summary:

I proposed adding fallback values for the CSS var() function and introduced a patch on T361934.
C. Scot raised questions about the necessity of fallback values, given that styles should be predefined. He expressed concerns regarding the security of using var() and preferred to keep the implementation simple.
I explained that certain styles require fallback values. And suggested postponing the security discussion. I assured that fallbacks would only include simple color codes and names.
Both discussed the effectiveness of using var() compared to direct color values.
C. Scot was not concerned about the code implementation, more for the necessity of the change.
C. Scot proposed using the following examples to simulate fallback values/defaults:

background-color: #fff;
background-color: var( --skin-specific );

and
border: 1px solid #72777d;
border: 1px solid var( --border-color-interactive );

@Mabualruz unless you hard-code something to switch it to var( --skin-specific, #fff ), this example would lead to override of #fff to an empty value in all the browsers supporting var() in case --skin-specific is undefined.

@stjn can we move the discussion to T361934, I wanted to summarise the movement of the discussion there for everyone's benefit. Thanks

Mabualruz mentioned this in T361934: Support CSS variable fallbacks in template styles.Fri, Apr 5, 1:07 PM

Change #1017080 had a related patch set uploaded (by Mabualruz; author: Mabualruz):

[css-sanitizer@master] feat(css-sanitizer): Improve color parsing var func fallback values

https://gerrit.wikimedia.org/r/1017080

cscott mentioned this in T361956: Application Security Review Request : css-sanitizer custom property support.Fri, Apr 5, 4:39 PM

Not really done, it's only supported for color-related properties.

A digression for the specific scope of this task, but mentioning it here in case it can inform direction / the discussion:

I'm in the middle of a cleanup of default Gadgets etc. on enWS, and am quietly muttering impolite words to myself because of formerly-Common.css-now-in-default-Gadget global CSS classes that have been used in a myriad of templates (and ad hoc in page content) with no particular rhyme or reason.

BUT… the one good use case in all the mess is that these global classes are used to provide a standardised ("house style for enWS") set of backgrounds and borders ("etc.") for what would otherwise be a whole little forest of interrelated templates needing to be kept in sync manually. I.e. a classic use for a style sheet.

For our particular use case it would be useful for the project to be able to define certain global variables that were available to people maintaining the TemplateStyles for individual templates. Mostly colors, lengths, sizes, border radii, and similar. It would be perfectly fine for this ability to be restricted to Interface Admins as the desirable management model for this use case coincides well with the IA model. We might even be able to make do with this being a Site-request rather than IA-limited, but I think that probably isn't a good idea from a sustainability perspective.

It can kinda sorta be done with the default gadgets, but there's a subtle difference in control delineation between making classes (selectors) global and providing re-usable variables. The need also overlaps with what would be covered by supporting internal (local-only) @import within TemplateStyles CSS, but that's a slightly different use case.

A digression here, of course, but might be useful for thinking about the issue.

PS. Note also that the use case I'm describing above, and that this task is currently trying to solve, is very different from the one in T200632. The latter is about end-user users of a template being able to pass an argument to the template that the template then passes into TemplateStyles in order to vary colors, widths, etc. per-invocation of the template. The security profile and barriers to implementation (e.g. T200632#4623300) are quite different.

@Tgr T320322 covers the general use case.

Jdlrobson renamed this task from CSS sanitizer should support using CSS variables (not setting/creating them) for use in TemplateStyles to CSS sanitizer should support using CSS variables (not setting/creating them) for use in color values in TemplateStyles.Sun, Apr 7, 1:29 PM

@Xover what about just using Codex design tokens? See T355244.

Jdlrobson unsubscribed.Mon, Apr 15, 8:17 PM

Edtadros mentioned this in T361455: Verify 1.42.0-wmf.26 deployment.Tue, Apr 23, 10:06 PM

Change #1015447 abandoned by Mabualruz:

[mediawiki/extensions/TemplateStyles@master] chore(extensionDependencies): Update css-sanitizer from 5.1.0 to 5.2.0

Reason:

Was done in 1021564