Page MenuHomePhabricator
Create Task
Maniphest T394963

Allow unknown properties in css-sanitizer
Open, Needs TriagePublic
Actions

Description

The MW core Sanitizer allows all properties except for accelerator, -o-link, -o-link-source and -o-replace. It allows all values except when they contain the functions url(), src(), image(), image-set(), or attr() with the url syntax type. We could do the same in TemplateStyles.

Unknown properties would still have to be syntactically valid. We could have a generic matcher that would check for bad functions or URL tokens.

CSS is complex and constantly changing. Most changes are not relevant for security. There is @supportsto help users develop CSS which works across all platforms.

Related Objects

Event Timeline

tstarling created this task.May 22 2025, 1:41 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 22 2025, 1:41 AM
Izno added a project: TemplateStyles.May 22 2025, 2:43 AM
Izno moved this task from Backlog to External (css-sanitizer) on the TemplateStyles board.
MusikAnimal subscribed.May 22 2025, 10:20 PM
Volker_E added a project: CSS.May 23 2025, 3:01 AM
Izno awarded a token.May 23 2025, 5:49 AM
cscott mentioned this in T361934: Support CSS variable fallbacks in template styles.Oct 15 2025, 3:06 AM
Mr._Starfleet_Command subscribed.Oct 15 2025, 5:26 AM
Bawolff subscribed.EditedNov 4 2025, 6:40 AM

This kind of comes down to what is the threat model of css-sanitizer and what does it want to prevent. I feel like a lot of css-sanitizer development is paralyzed by not knowing what the goal is.

The property names mentioned above only matter to ancient browsers. In modern browsers the only thing that really matter are @import, url(), image() and image-set(). If you care about standards not yet implemented, then also src() and filter() [attr() with url type was removed from spec and nobody ever implemented it].

Tgr added a comment.Nov 6 2025, 10:01 PM

The MW core Sanitizer allows all properties except for accelerator, -o-link, -o-link-source and -o-replace.

Also expression which let you embed Javascript in CSS on IE6. I suppose it is reasonable to assume that no future browser will do something that stupid...

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits