Page MenuHomePhabricator

Allow <noscript> tag
Open, LowPublic

Description

The parser (or rather the sanitizer) should allow the <noscript> tag and output it in HTML if it is present in wiki text.

Use cases:

<noscript>
You have to turn on JS in your browser to be able to sort this table.
</noscript>
{| class="wikitable sortable"
<!--
...
-->
|}


<noscript>
[[#after-long-block|Skip to after the block]]
</noscript>
<div class="mw-collapsible mw-collapsed">
Here comes much data, it is hidden by default if JavaScript is enabled.
...
</div>
<div id="after-long-block"></div>

Version: 1.21.x
Severity: enhancement

Details

Reference
bz45731

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 1:19 AM
bzimport set Reference to bz45731.
Schnark created this task.Mar 5 2013, 10:48 AM

Assuming the contents of the <noscript> tags are still run through the parser/sanitizer, this should probably be fine. Are there any security concerns or issues to look out for here that you're aware of? If not, this bug can likely be marked with the "easy" keyword.

Patch in Gerrit needs review (and testing).

I'm not convinced that this is needed or wanted, and <noscript> could be confusing if some content was only seen by some readers (and web spiders). Consider me neutral on the matter.

And this is easy to work around – we already have 'client-js' and 'client-nojs' classes on the <body> element, so you could do this with one CSS rule in [[MediaWiki:Common.css]]:

.client-js .noscript { display: none; }

And use the following in pages:

<div class="noscript">
You have to turn on JS in your browser to be able to sort this table.
</div>

The <noscript> element accepts the global attributes in HTML. These are missing from the patch (as currently written, all attributes would be stripped; see also bug 55582).

Change 53529 had a related patch set uploaded (by Paladox):
Allow <noscript> tag in wikitext

https://gerrit.wikimedia.org/r/53529

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 4 2015, 7:10 PM
Paladox set Security to None.Sep 4 2015, 7:12 PM

I'm not convinced we should be allowing <noscript>. Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

With the solution that matmarex provides (which neatly solves the presented use case) at least it's possible to override it in the user js.

Count me against this proposal, unless a more convincing use case is found.

Legoktm updated the task description. (Show Details)Sep 5 2015, 5:09 PM

Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

I actually don't see how this abuse is more relevant than every other abuse of a publicly editable wiki. It's just spam that's not visible to most people in the rendered page. But it's still visible in the diff when it is inserted. All users who have JS disabled can see and revert the spam (and all other users aren't affected by it). Communities worried about this can easily set up an AbuseFilter to log or reject those changes. Or you can search the source for "noscript". So I don't see any reason why this sort of spam should be considered as more dangerous than normal spam.

Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

I actually don't see how this abuse is more relevant than every other abuse of a publicly editable wiki.

I think he meant that it will bypass the SpamBlacklist? (I'm guessing, I didn't test)

I tend to agree with @Platonides . At the very least, I'd like to see more use cases, and maybe a wikitech-l discussion. I don't know, it just feels like the sort of thing where users should not have to know if js is enabled or not.

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptMay 26 2016, 8:09 PM
Nirmos added a subscriber: Nirmos.Sep 14 2017, 12:21 PM

Too easy to abuse: <noscript>Buy our great viagra [http://pharmacyscam.com here]</noscript>

I actually don't see how this abuse is more relevant than every other abuse of a publicly editable wiki.

I think he meant that it will bypass the SpamBlacklist? (I'm guessing, I didn't test)

Why would it bypass the SpamBlacklist?

I see no reason that spam blacklist would be bypassed