Our wiki has a template that displays a mini-periodical table. Each table entry is represented by a small box, which is a link to the corresponding element's page.
When we upgraded to 1.16.2, this template stopped working. I have traced the problem to some html added as link text. Specifically, an element (in this case Hydrogen) is represented by:
[[Hydrogen |<div style="filter:alpha(opacity=99); -moz-opacity:.99; opacity:.99; width:6px; height:9px; border-bottom:1px solid #fff; border-left:1px solid #fff; border-top:1px solid #fff; border-right:1px solid #fff; background-color:#333"> </div> ]]
When I inspect the output html at the browser, the output div is:
<div style="/* insecure input */" ...
When I remove "filter:alpha(opacity=99);" from the link text, things work fine (at least on FF and Safari). Investigating, it seems the "filter:alpha(opacity=99);" attribute is an IE specific opacity setting.
I am attempting to fix this problem, but I don't know where the "/* insecure input */" value is generated. Is it in the parser? Is by the browser? Somewhere else? Is there some global I can set to eliminate this behavior? Is the value "filter:alpha(opacity=99);" obsolete, necessitating it to be changed to something else?
On Thu, Apr 28, 2011 at 11:29 AM, Dan Nessett dnessett@yahoo.com wrote:
When I inspect the output html at the browser, the output div is:
<div style="/* insecure input */" ...
When I remove "filter:alpha(opacity=99);" from the link text, things work fine (at least on FF and Safari). Investigating, it seems the "filter:alpha(opacity=99);" attribute is an IE specific opacity setting.
I am attempting to fix this problem, but I don't know where the "/* insecure input */" value is generated. Is it in the parser? Is by the browser? Somewhere else? Is there some global I can set to eliminate this behavior?
Sanitizer::checkCss(). There are no settings available to control this, it's just part of the hardcoded filters.
Is the value "filter:alpha(opacity=99);" obsolete,
necessitating it to be changed to something else?
Well, it is obsolete in two senses: current versions of IE (9+) do not require it as they support CSS's native opacity, and slightly older versions of IE (7/8...?) actually specify a slightly different syntax for the filter spec and don't always recognize the old IE 4 style you're using: http://www.quirksmode.org/css/opacity.html
But that's not why it's being stripped: various little CSS extensions like 'expression', xbl bindings, and IE's 'filter's are potentially unsafe, though it's unclear to me at the moment exactly how dangerous the filters are as I haven't looked at it in ages (is the set of filters open-ended or fixed? do any of them allow loading offsite content or executing JS code?)
If you need to maintain support on old IEs that don't understand standard opacity, the simplest thing you can do here is to move some of your styles from inline attributes to global CSS that you can stick on in the MediaWiki:Common.css (or use the CSS extension to include it in a <style> on pages using the templates).
Not only will this avoid hitting the standard content safety filters within the wiki templates, it'll reduce the overall weight of your page.
-- brion
On 29/04/11 04:50, Brion Vibber wrote:
But that's not why it's being stripped: various little CSS extensions like 'expression', xbl bindings, and IE's 'filter's are potentially unsafe, though it's unclear to me at the moment exactly how dangerous the filters are as I haven't looked at it in ages (is the set of filters open-ended or fixed? do any of them allow loading offsite content or executing JS code?)
See the comments on
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66990
The set of filters is open-ended, and can be extended by IE plugins. Microsoft has shown precisely zero interest in fixing the serious security vulnerability I found in ICMFilter, which suggests that they will have no qualms about adding more security vulnerabilities accessible via filter rules. The format of the filter string is complex and not precisely documented, so whitelisting opacity would be non-trivial even if we wanted to do it.
-- Tim Starling
mediawiki-l@lists.wikimedia.org