On Thu, Apr 28, 2011 at 11:29 AM, Dan Nessett dnessett@yahoo.com wrote:

When I inspect the output html at the browser, the output div is:

<div style="/* insecure input */" ...

When I remove "filter:alpha(opacity=99);" from the link text, things work fine (at least on FF and Safari). Investigating, it seems the "filter:alpha(opacity=99);" attribute is an IE specific opacity setting.

I am attempting to fix this problem, but I don't know where the "/* insecure input */" value is generated. Is it in the parser? Is by the browser? Somewhere else? Is there some global I can set to eliminate this behavior?

Sanitizer::checkCss(). There are no settings available to control this, it's just part of the hardcoded filters.

Is the value "filter:alpha(opacity=99);" obsolete,

necessitating it to be changed to something else?

Well, it is obsolete in two senses: current versions of IE (9+) do not require it as they support CSS's native opacity, and slightly older versions of IE (7/8...?) actually specify a slightly different syntax for the filter spec and don't always recognize the old IE 4 style you're using: http://www.quirksmode.org/css/opacity.html

But that's not why it's being stripped: various little CSS extensions like 'expression', xbl bindings, and IE's 'filter's are potentially unsafe, though it's unclear to me at the moment exactly how dangerous the filters are as I haven't looked at it in ages (is the set of filters open-ended or fixed? do any of them allow loading offsite content or executing JS code?)

If you need to maintain support on old IEs that don't understand standard opacity, the simplest thing you can do here is to move some of your styles from inline attributes to global CSS that you can stick on in the MediaWiki:Common.css (or use the CSS extension to include it in a <style> on pages using the templates).

Not only will this avoid hitting the standard content safety filters within the wiki templates, it'll reduce the overall weight of your page.

-- brion