Last modified: 2013-05-01 21:18:47 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T39248, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 37248 - CSS attributes stripped when raw HTML is allowed
CSS attributes stripped when raw HTML is allowed
Status: NEW
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
unspecified
All All
: Low normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: easy
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-31 16:03 UTC by MZMcBride
Modified: 2013-05-01 21:18 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description MZMcBride 2012-05-31 16:03:26 UTC 
This is typical (default) MediaWiki behavior.

Input:
<span style="background-image:url('hello.jpg')"></span>

Output:
<span style="/* insecure input */"></span>

MediaWiki strips out the style attribute completely if it detects possibly dangerous code. However, on a wiki such as wikimediafoundation.org, $wgRawHtml is allowed.

Input:
<span style="<html>background-image:url('hello.jpg')</html>"></span>

Output:
<span style="/* insecure input */"></span>

This is the wrong behavior. Content inside <html> tags should be left untouched. There are workarounds here, but they shouldn't be necessary. MediaWiki shouldn't be touching content within the <html> tags.

This needs a parser tweak and parser tests, I think.
Comment 1 ganeshaditya1 2013-05-01 11:36:28 UTC 
Unable to reproduce the bug.

As per the sanitizer class any style tag which uses url, filter, accelarator, expression are blocked as u have shown.

But when I put the html code as u have shown, its not parsing anything inside between the HTML tag and outputting it as it is along with the html tag

<span style="<html>background-color:url('images/red.png');</html>"> sdf</span>asd
is being outputted as it is.
Comment 2 ganeshaditya1 2013-05-01 11:39:52 UTC 
This seems to be the flow for style tags.

decode character references -> get the style scipt before the first comment beginning (/*) -> reject control characters -> reject (element, accelarator, filter, url)

So anything between html passes the filtering but the browser wont render it I guess.
Comment 3 ganeshaditya1 2013-05-01 11:48:02 UTC 
stupid question..
Shouldn't there be any workarounds to allow url's? 
Is html tag the only workaround?
Comment 4 MZMcBride 2013-05-01 21:18:47 UTC 
(In reply to comment #1)
> Unable to reproduce the bug.

This bug is trivial to reproduce. Here's an example: <https://wikimediafoundation.org/w/index.php?title=Wikimedia:Sandbox&oldid=91728>.

The HTML output is:

---
<span style="/* insecure input */">testing for bug 37248</span>
---

(In reply to comment #3)
> Shouldn't there be any workarounds to allow url's? 
> Is html tag the only workaround?

I don't know, but this seems irrelevant to this bug. This bug is about content within <html> tags being improperly sanitized. Content within <html> tags should be passed as-is without being sanitized. Please re-read comment 0 for a full explanation.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links