Page MenuHomePhabricator
Create Task
Maniphest T54941

Refactor sanitizer to work on the DOM too
Open, MediumPublic
Actions

Description

Currently we always serialize to wikitext and re-parse that to HTML, which runs the sanitizer on the token stream to ensure that our final HTML does not cause bad things to happen.

Soon both us and the Flow team want to store HTML from the VisualEditor directly without first serializing to wikitext. This means that we need to perform the sanitization on the HTML instead of the token stream. For performance, sanitizing on the way in would be preferable. We should however support re-sanitization when new issues were discovered. This could potentially be coupled with the versioning discussed in bug 52937. A new sanitizer could bump the version number, and the upgrade path would then run the new sanitizer on old HTML (and probably update the storage with the newly sanitized version).

Version: unspecified
Severity: normal

Details

Reference
bz52941

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:51 AM
bzimport added a project: Parsoid-DOM.
bzimport set Reference to bz52941.
GWicke created this task.Aug 16 2013, 6:28 PM
marcoil removed GWicke as the assignee of this task.Nov 25 2014, 6:31 PM
marcoil added a project: Parsoid.
marcoil set Security to None.
Arlolra mentioned this in T144467: Security review for Google MT for Content Translation.Jun 29 2017, 2:13 PM
GWicke added a comment.Jun 29 2017, 4:02 PM

Note that tokens are equivalent to SAX events. This suggests the following option for hooking up the current sanitizer to process a DOM:

  • Traverse the input DOM, emit SAX events
  • feed SAX events through the sanitizer
  • feed the resulting tokens / SAX events back to a HTML / XML DOM tree builder
santhosh mentioned this in T169295: Sanitize MT service output HTML.Jun 30 2017, 5:05 AM
Bawolff subscribed.Dec 20 2017, 2:09 PM
KartikMistry subscribed.Jan 31 2018, 7:03 AM
LGoto moved this task from Needs Triage to Backlog on the Parsoid board.Feb 17 2020, 4:43 PM
ssastry moved this task from Backlog to Future Ideas on the Parsoid board.May 13 2020, 10:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL