Last modified: 2013-05-01 21:18:47 UTC
This is typical (default) MediaWiki behavior. Input: <span style="background-image:url('hello.jpg')"></span> Output: <span style="/* insecure input */"></span> MediaWiki strips out the style attribute completely if it detects possibly dangerous code. However, on a wiki such as wikimediafoundation.org, $wgRawHtml is allowed. Input: <span style="<html>background-image:url('hello.jpg')</html>"></span> Output: <span style="/* insecure input */"></span> This is the wrong behavior. Content inside <html> tags should be left untouched. There are workarounds here, but they shouldn't be necessary. MediaWiki shouldn't be touching content within the <html> tags. This needs a parser tweak and parser tests, I think.
Unable to reproduce the bug. As per the sanitizer class any style tag which uses url, filter, accelarator, expression are blocked as u have shown. But when I put the html code as u have shown, its not parsing anything inside between the HTML tag and outputting it as it is along with the html tag <span style="<html>background-color:url('images/red.png');</html>"> sdf</span>asd is being outputted as it is.
This seems to be the flow for style tags. decode character references -> get the style scipt before the first comment beginning (/*) -> reject control characters -> reject (element, accelarator, filter, url) So anything between html passes the filtering but the browser wont render it I guess.
stupid question.. Shouldn't there be any workarounds to allow url's? Is html tag the only workaround?
(In reply to comment #1) > Unable to reproduce the bug. This bug is trivial to reproduce. Here's an example: <https://wikimediafoundation.org/w/index.php?title=Wikimedia:Sandbox&oldid=91728>. The HTML output is: --- <span style="/* insecure input */">testing for bug 37248</span> --- (In reply to comment #3) > Shouldn't there be any workarounds to allow url's? > Is html tag the only workaround? I don't know, but this seems irrelevant to this bug. This bug is about content within <html> tags being improperly sanitized. Content within <html> tags should be passed as-is without being sanitized. Please re-read comment 0 for a full explanation.