Last modified: 2011-12-22 10:41:51 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T31281, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 29281 - HTML tag list forbidden in uploads should be configurable
HTML tag list forbidden in uploads should be configurable
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
File management (Other open bugs)
unspecified
All All
: Normal enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-reviewed
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-06 14:30 UTC by Vitaliy Filippov
Modified: 2011-12-22 10:41 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Patch (1.71 KB, patch)
2011-06-06 14:30 UTC, Vitaliy Filippov 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Vitaliy Filippov 2011-06-06 14:30:45 UTC 
Created attachment 8623 [details]
Patch

MW needs to allow to allow :) some HTML in uploads. This is needed, for example, for SVG uploads. The simplest way to do so is to allow user to configure forbidden tag list.
Patch is attached.
Comment 1 Bryan Tong Minh 2011-06-06 15:00:13 UTC 
The problem with HTML tags in uploads is that Internet Explorer 6 may detect the file as HTML and execute any embedded javascript. However, now that we have IEContentAnalyzer the checks in UploadBase should probably need to be removed. I should check this.
Comment 2 Sam Reed (reedy) 2011-06-06 15:40:06 UTC 
If you're adding a new global, it should be defined in DefaultSettings
Comment 3 Brion Vibber 2011-06-06 18:00:44 UTC 
Note that there is already a $wgAllowTitlesInSVG setting which excludes the check for '<title' from UploadBase::detectScript()'s checks on SVG files.

If however you want to upload *scripted* SVG files, or SVG files that embed HTML documents that otherwise trigger the detecty things, then you might be tripping the general checks. What exactly is it you're encountering?
Comment 4 Vitaliy Filippov 2011-06-06 20:08:05 UTC 
It was some time ago and I've forgot the details... Now I've looked into our bugtracker, it was not SVG at all, it was FreeMind/FreePlane Mindmap problem - they can have HTML embedded (<html> tag).
Comment 5 Sumana Harihareswara 2011-12-22 05:02:03 UTC 
Vitaliy, I'm sorry, but in the months since you submitted this patch, trunk has changed such that the patch no longer cleanly applies.  If this problem still needs fixing, would you mind updating the patch and reattaching it?  If you do that and let me or Mark Hershberger know, we'll find someone to review it fairly soon.

Thanks, and my apologies on the wait.
Comment 6 Tim Starling 2011-12-22 10:41:51 UTC 
Marking WONTFIX, since there's no way the method requested can be secure. Some other solution may be possible for these Mindmap files, but that should be requested in another bug. Please do not update the patch.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links