Page MenuHomePhabricator
Create Task
Maniphest T383949

Add tartan namespace to allow-list
Open, Needs TriagePublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):

I would like to be able to upload SVG files with the namespace`"https://marnanel.org/tartan/2023"`.

This can be done by adding the namespace here:
https://phabricator.wikimedia.org/source/mediawiki/browse/master/includes/upload/UploadBase.php$1626

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

There are so many files in the Commons category "Tartan images that should use vector graphics" that I've been building a toolforge application to edit them:

https://adjustyoursett.toolforge.org

https://gitlab.wikimedia.org/toolforge-repos/adjustyoursett/

Here is my problem. I figured it would be a sensible plan to have the SVG files be machine-readable, so you could load a tartan SVG back into the tool and make changes. Therefore, I invented a tartan namespace. But then I discovered that Mediawiki blocks namespaces it doesn't know about.

It would be ''possible'' to go back and change this to a microformat, but I think using a separate namespace for annotation is closer to the spirit of XML.

This is the namespace spec:
https://gitlab.wikimedia.org/toolforge-repos/adjustyoursett/-/blob/main/docs/namespace.md

Benefits (why should this be implemented?):

It means we can modify tartan images directly, which allows people to reuse them more effectively.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add tartan namespace to allowlistmediawiki/coremaster+1 -0
Customize query in gerrit

Related Objects

Event Timeline

Marnanel created this task.Jan 16 2025, 10:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 16 2025, 10:39 PM
Marnanel updated the task description. (Show Details)Jan 16 2025, 10:40 PM
Marnanel added a comment.Jan 31 2025, 8:08 PM

Fixing this up within the SVG namespace would be easy with data-* attributes-- but those only exist in SVG 2.0, which isn't commonly implemented. I could work around the problem by storing the palette details in the Inkscape namespace, but that's getting horribly hacky.

Marnanel added a comment.Feb 2 2025, 2:09 AM

Here's a patch:

tartan.patch602 BDownload

The real answer would be the one given at the top of that function:

/**
 * @todo Replace this with a allow list filter!

but I don't know the codebase well enough atm.

Marnanel mentioned this in T386271: Allowlist for namespaces in uploads should be replaced with allowlist filter.Feb 12 2025, 9:24 PM
gerritbot added a comment.Feb 13 2025, 3:38 AM

Change #1119253 had a related patch set uploaded (by Gerrit Patch Uploader; author: Gerrit Patch Uploader):

[mediawiki/core@master] Add tartan namespace to allowlist

https://gerrit.wikimedia.org/r/1119253

gerritbot added a project: Patch-For-Review.Feb 13 2025, 3:38 AM
Pppery subscribed.Feb 13 2025, 3:39 AM

I've copied the patch into Gerrit for review.

See https://www.mediawiki.org/wiki/Gerrit/Tutorial for the correct way to submit patches for future reference.

Marnanel added a comment.Feb 13 2025, 5:20 AM
In T383949#10547472, @Pppery wrote:

I've copied the patch into Gerrit for review.

See https://www.mediawiki.org/wiki/Gerrit/Tutorial for the correct way to submit patches for future reference.

Thank you!

thiemowmde subscribed.Feb 13 2025, 10:11 AM

I wonder how other applications do this, e.g. Illustrator? Do they all use user-defined namespaces?

Marnanel added a comment.Feb 16 2025, 8:01 PM
In T383949#10548564, @thiemowmde wrote:

I wonder how other applications do this, e.g. Illustrator? Do they all use user-defined namespaces?

Yes-- http://ns.adobe.com/illustrator/1.0/ in your example. They're allow-listed explicitly.

Pppery added a comment.Feb 16 2025, 8:02 PM

The current allow-list was generated by scraping the existing files and seeing what namespaces they used at the time it was introduced.

Marnanel added a comment.Feb 16 2025, 8:04 PM

Is there a way to merge this with T386271?

I have created a new patch which puts the allow list into the Mediawiki namespace, which belongs there. I would like to close this issue in favour of that one, because that one subsumes this issue's functionality,. How can I do that?

Pppery added a comment.Feb 16 2025, 8:06 PM

Phabricator does support a merge feature, but I suspect it's going to be much easier to get the one-line patch here code reviewed than it is for someone to write a patch, think through the conceptual issues with allowing wiki-admins to configure it, be confident enough to +2 the patch, etc. so I would leave this open.

For example: the original point of this was to stop XSS attacks so should editing the message be restricted to interface admins?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits