Last modified: 2011-12-22 10:41:51 UTC
Created attachment 8623 [details] Patch MW needs to allow to allow :) some HTML in uploads. This is needed, for example, for SVG uploads. The simplest way to do so is to allow user to configure forbidden tag list. Patch is attached.
The problem with HTML tags in uploads is that Internet Explorer 6 may detect the file as HTML and execute any embedded javascript. However, now that we have IEContentAnalyzer the checks in UploadBase should probably need to be removed. I should check this.
If you're adding a new global, it should be defined in DefaultSettings
Note that there is already a $wgAllowTitlesInSVG setting which excludes the check for '<title' from UploadBase::detectScript()'s checks on SVG files. If however you want to upload *scripted* SVG files, or SVG files that embed HTML documents that otherwise trigger the detecty things, then you might be tripping the general checks. What exactly is it you're encountering?
It was some time ago and I've forgot the details... Now I've looked into our bugtracker, it was not SVG at all, it was FreeMind/FreePlane Mindmap problem - they can have HTML embedded (<html> tag).
Vitaliy, I'm sorry, but in the months since you submitted this patch, trunk has changed such that the patch no longer cleanly applies. If this problem still needs fixing, would you mind updating the patch and reattaching it? If you do that and let me or Mark Hershberger know, we'll find someone to review it fairly soon. Thanks, and my apologies on the wait.
Marking WONTFIX, since there's no way the method requested can be secure. Some other solution may be possible for these Mindmap files, but that should be requested in another bug. Please do not update the patch.