ResourceLoader: Implement support for LESS in wiki modules (user and site), supporting e.g. MediaWiki:Common.less
Open, LowestPublic

Description

LESS support was recently added for RL, but only for core/extension generated modules. It would be nice if users could also create their own .less subpages (or MediaWiki: pages for sitewide) that RL would automatically compile into CSS.

Ori mentioned on IRC that there may be some security issues that need to be addressed like @import "/etc/passwd";


Version: 1.22.0
Severity: enhancement

Details

Reference
bz54864
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz54864.
Legoktm created this task.Oct 2 2013, 4:46 AM
brion added a comment.Oct 2 2013, 4:37 PM

Yes, we'll need to devise some way to override the @import handling...

Extending summary because I spent way too long looking for this bug.

Note that besides other security vectors, there's also a DOS vector. Small .less files that generate several gigabytes of output and consume large amounts of CPU for long periods of time can be made.

Using LESS inside the user space is in my opinion of very little value because, contrary to the file system, there wouldn't be much re-use or composition. It'd basically just be syntactical sugar for something that is relatively trivial to do without LESS.

It might even be something we'll never do, or do much later on once we get a grip on more important things and have found ways around the problems it introduces.

At this point I'd recommend against writing a patch, as it wouldn't be ready for approval.

Jdlrobson added a comment.EditedDec 11 2014, 11:24 PM

Actually I think replacing Common.css with Common.less outright (see T78345) would be a great idea from an organisation perspective. The use of nesting is an invaluable way to identify dead code blocks and keep these messy wiki pages organised.
See https://www.mediawiki.org/wiki/Requests_for_comment/LESS#Case_study:_LESS_in_MobileFrontend

onei added a subscriber: onei.Jan 9 2015, 2:27 AM

Actually I think replacing Common.css with Common.less outright (see T78345) would be a great idea from an organisation perspective. The use of nesting is an invaluable way to identify dead code blocks and keep these messy wiki pages organised.

Nesting would (and should) not be used in most cases relevant in that scenario. It's quite often misused.

Add Comment