Page MenuHomePhabricator

[CSS] Some CSS stripped by MediaWiki parser CSS sanitizer
Open, LowestPublic

Description

I have been unable to get background-image:url( someURL ) to work with this extension, like below:

{{#css:
	/*
		This code requires the CSS extension (previously used NewPageCSS)
		http://www.mediawiki.org/wiki/Extension:CSS
	*/

	.someClass { background-image:url(http://www.somedomain.com/w/images/0/06/someimage.png); }
}}

I believe it is due to Sanitizer::checkCss() as described by Brion here:

http://www.gossamer-threads.com/lists/wiki/mediawiki/233179

The CSS that gets sanitized by the parser is getting stripped out of the CSS extension too.

However, the usual /* insecure input */ error message appears in the <head> of the page source, like this:

<style type="text/css">
/*<![CDATA[*/
/* insecure input */
/*]]>*/
</style>

The only way to get around this problem is to put the CSS in MediaWiki:Common.css.

There are good reasons for the parser to strip some CSS out, but in addition to documenting this issue (which this bug does, and I'll do in the extension docs in a moment), it should be configurable whether the CSS extension lets the parser sanitize, for example, when used on private wikis.

Details

Reference
bz35820

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:18 AM
bzimport set Reference to bz35820.
bzimport added a subscriber: Unknown Object (MLST).
Badon created this task.Apr 8 2012, 9:49 PM
Qgil added a comment.Mar 25 2013, 2:40 AM

There is a proposal to improve Extension:CSS at

http://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Improve_Extension:CSS

Pasting the part related with security to get more feedback:

"The CSS extension relies on basic blacklisting functionality in MediaWiki core to prevent XSS. It would be great if a proper CSS parser [1] was integrated and a set of whitelists implemented to offer various levels of capability/protection trade-offs.

For example, some wikis may want all CSS selectors prefixed with "#mw-content-text" and properties like "position", etc. disabled to limit the effect of styles to the article content. Other sites may want everything except XSS-able properties/values."

[1] https://github.com/sabberworm/PHP-CSS-Parser

(In reply to comment #1)

"The CSS extension relies on basic blacklisting functionality in MediaWiki
core
to prevent XSS. It would be great if a proper CSS parser [1] was integrated
and
a set of whitelists implemented to offer various levels of
capability/protection trade-offs.

This sounds like a great project. I'd recommend looking at HTML Purifier's CSS rules as well, which would be great to integrate into either the extension, or core's CSS sanitization.

[1] https://github.com/sabberworm/PHP-CSS-Parser

There are good reasons for the parser to strip some CSS out, but in addition
to
documenting this issue (which this bug does, and I'll do in the extension
docs
in a moment), it should be configurable whether the CSS extension lets the
parser sanitize, for example, when used on private wikis.

The reason sanitizer doesn't let that through, is we don't want people to be able to load external resources from inline css
*This could in theory be used as a DOS attack against somebody else if someone put it on a popular page.
*It can be used to track users, and associate usernames with ip addresses (i.e. have {{REVISIONUSER}} in the query string of the external resource.

(There could be other resons. Those two are just the two I know about)

Bug 57891 is not an appropriate "see also"; removing.

Qgil added a comment.Sep 12 2014, 9:19 AM

A new round of FOSS OPW is coming. Should we keep https://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Allowing_3rd_party_wiki_editors_to_run_more_CSS_features as a featured project? Meaning, does this project still make sense and are there mentors still available?

Qgil added a comment.Feb 11 2015, 1:44 PM

Wikimedia will apply to Google Summer of Code and Outreachy on Tuesday, February 17. If you want this task to become a featured project idea, please follow these instructions.

Qgil lowered the priority of this task from Medium to Lowest.Feb 16 2015, 11:45 PM
Qgil added a comment.Sep 23 2015, 9:10 AM

This is a message posted to all tasks under "Re-check in September 2015" at Possible-Tech-Projects. Outreachy-Round-11 is around the corner. If you want to propose this task as a featured project idea, we need a clear plan with community support, and two mentors willing to support it.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 23 2015, 9:10 AM
Qgil added a comment.Sep 23 2015, 9:36 AM

This is a message sent to all Possible-Tech-Projects. The new round of Wikimedia Individual Engagement Grants is open until 29 Sep. For the first time, technical projects are within scope, thanks to the feedback received at Wikimania 2015, before, and after (T105414). If someone is interested in obtaining funds to push this task, this might be a good way.

This seems to be an old task with no inputs since 2 years.
Is this still valid ? Is there demand for this ?

Qgil set Security to None.

Maybe the initial task is still valid, but I agree that no real movement in years doesn't make it an ideal candidate for Possible-Tech-Projects. If mentors related to MediaWiki-extensions-CSS want to bring it back, they are are welcome.

Izno updated the task description. (Show Details)May 5 2019, 12:23 PM
Izno removed a subscriber: wikibugs-l-list.
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptMay 5 2019, 12:23 PM