Last modified: 2011-11-22 23:02:16 UTC
The extension should add a custom URL parameter to the link and hook into RawPageViewBeforeOutput to sanitize CSS requests with that parameter. Inline CSS is already sanitized, and "external" files can't/shouldn't be sanitized. However, the same custom URL parameter must be appended to "external" includes so if they are actually referencing wiki pages, they will be sanitized appropriately. "external" URLs should also be expanded and verified to be inside the base (to prevent "../../").
I also need to turn the inline styles into a link tag to eliminate any injection possibility there.
Should be taken care of in r103771.
I don0t think goign through javascript would be needed.
(In reply to comment #3) > I don0t think goign through javascript would be needed. Care to elaborate?
We have code for CSS sanitizing in other parts of MediaWiki, the CSSMin class is able to remap and datify css urls... I'm not an expert with that part, but I think the needed pieces should be there.