Page MenuHomePhabricator
Create Task
Maniphest T47731

Allow <noscript> tag
Closed, DeclinedPublic
Actions

Description

The parser (or rather the sanitizer) should allow the <noscript> tag and output it in HTML if it is present in wiki text.

Use cases:

<noscript>
You have to turn on JS in your browser to be able to sort this table.
</noscript>
{| class="wikitable sortable"
<!--
...
-->
|}


<noscript>
[[#after-long-block|Skip to after the block]]
</noscript>
<div class="mw-collapsible mw-collapsed">
Here comes much data, it is hidden by default if JavaScript is enabled.
...
</div>
<div id="after-long-block"></div>

Version: 1.21.x
Severity: enhancement

Details

Reference
bz45731
SubjectRepoBranchLines +/-
Allow <noscript> tag in wikitextmediawiki/coremaster+2 -1
Customize query in gerrit

Related Objects

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 1:19 AM
bzimport added projects: MediaWiki-Parser, good first task.
bzimport set Reference to bz45731.
Schnark created this task.Mar 5 2013, 10:48 AM
MZMcBride added a comment.Mar 6 2013, 8:58 AM

Assuming the contents of the <noscript> tags are still run through the parser/sanitizer, this should probably be fine. Are there any security concerns or issues to look out for here that you're aware of? If not, this bug can likely be marked with the "easy" keyword.

devunt added a comment.Mar 13 2013, 6:07 AM

https://gerrit.wikimedia.org/r/#/c/53529/

Aklapper added a comment.Jul 25 2013, 8:19 AM

Patch in Gerrit needs review (and testing).

matmarex added a comment.Jul 25 2013, 8:49 PM

I'm not convinced that this is needed or wanted, and <noscript> could be confusing if some content was only seen by some readers (and web spiders). Consider me neutral on the matter.

And this is easy to work around – we already have 'client-js' and 'client-nojs' classes on the <body> element, so you could do this with one CSS rule in [[MediaWiki:Common.css]]:

.client-js .noscript { display: none; }

And use the following in pages:

<div class="noscript">
You have to turn on JS in your browser to be able to sort this table.
</div>

Entlinkt added a comment.Oct 10 2013, 8:38 PM

The <noscript> element accepts the global attributes in HTML. These are missing from the patch (as currently written, all attributes would be stripped; see also bug 55582).

gerritbot subscribed.Sep 4 2015, 7:10 PM

Change 53529 had a related patch set uploaded (by Paladox):
Allow <noscript> tag in wikitext

https://gerrit.wikimedia.org/r/53529

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 4 2015, 7:10 PM
Paladox set Security to None.Sep 4 2015, 7:12 PM
Platonides subscribed.Sep 5 2015, 1:29 PM

I'm not convinced we should be allowing <noscript>. Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

With the solution that matmarex provides (which neatly solves the presented use case) at least it's possible to override it in the user js.

Count me against this proposal, unless a more convincing use case is found.

Legoktm updated the task description. (Show Details)Sep 5 2015, 5:09 PM
Schnark added a comment.Sep 7 2015, 7:48 AM
In T47731#1611566, @Platonides wrote:

Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

I actually don't see how this abuse is more relevant than every other abuse of a publicly editable wiki. It's just spam that's not visible to most people in the rendered page. But it's still visible in the diff when it is inserted. All users who have JS disabled can see and revert the spam (and all other users aren't affected by it). Communities worried about this can easily set up an AbuseFilter to log or reject those changes. Or you can search the source for "noscript". So I don't see any reason why this sort of spam should be considered as more dangerous than normal spam.

Legoktm subscribed.Sep 18 2015, 8:50 AM
In T47731#1613259, @Schnark wrote:
In T47731#1611566, @Platonides wrote:

Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

I actually don't see how this abuse is more relevant than every other abuse of a publicly editable wiki.

I think he meant that it will bypass the SpamBlacklist? (I'm guessing, I didn't test)

Danny_B mentioned this in T25932: Allow use of semantic HTML5 elements in wikitext.May 25 2016, 11:01 AM
Danny_B mentioned this in E196: Code Review Office Hours.May 25 2016, 11:20 AM
Bawolff subscribed.May 26 2016, 8:09 PM

I tend to agree with @Platonides . At the very least, I'd like to see more use cases, and maybe a wikitech-l discussion. I don't know, it just feels like the sort of thing where users should not have to know if js is enabled or not.

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptMay 26 2016, 8:09 PM
Liuxinyu970226 subscribed.Jan 12 2017, 3:19 PM
Aklapper removed a project: good first task.Aug 9 2017, 11:08 AM
Nirmos subscribed.Sep 14 2017, 12:21 PM
In T47731#1652642, @Legoktm wrote:
In T47731#1613259, @Schnark wrote:
In T47731#1611566, @Platonides wrote:

Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

I actually don't see how this abuse is more relevant than every other abuse of a publicly editable wiki.

I think he meant that it will bypass the SpamBlacklist? (I'm guessing, I didn't test)

Why would it bypass the SpamBlacklist?

Bawolff added a comment.Sep 14 2017, 12:47 PM

I see no reason that spam blacklist would be bypassed

Krinkle subscribed.Aug 28 2019, 4:02 PM
In T47731#491679, @matmarex wrote:

I'm not convinced that this is needed or wanted, and <noscript> could be confusing if some content was only seen by some readers (and web spiders). Consider me neutral on the matter.

And this is easy to work around – we already have 'client-js' and 'client-nojs' classes on the <body> element, so you could do this with one CSS rule in [[MediaWiki:Common.css]]:

.client-js .noscript { display: none; }

And use the following in pages:

<div class="noscript">
You have to turn on JS in your browser to be able to sort this table.
</div>

Agreed.

And moreover, there is quite a big difference between "the Common.js file has executed on this page view" and "JS is disabled in this browser".

Which means <noscript> would not do the right thing. <noscript> is for showing text to people with JS disabled in their browser. But, the examples mentioned so far are more about some piece of content that doesn't work unless a gadget has loaded. There are a lot of reasons for why it might not load (including Grade C support, network troubles, slow device, timeouts, syntax issues). So ultimately, these should be solved with CSS instead and sometimes probably deserve specific styling beyond a generic .client-js rule, but that would at least be better than <noscript>.

thiemowmde closed this task as Declined.Jan 27 2020, 9:16 PM
Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptJan 27 2020, 9:16 PM
gerritbot added a comment.Jan 27 2020, 9:17 PM

Change 53529 abandoned by Thiemo Kreuz (WMDE):
Allow <noscript> tag in wikitext

Reason:
As discussed in T47731.

https://gerrit.wikimedia.org/r/53529

Maintenance_bot removed a project: Patch-For-Review.Jan 27 2020, 10:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL