[Mediawiki-l] div style = "/* insecure input */"

Dan Nessett dnessett at yahoo.com
Thu Apr 28 18:29:30 UTC 2011

Our wiki has a template that displays a mini-periodical table. Each table 
entry is represented by a small box, which is a link to the corresponding 
element's page.

When we upgraded to 1.16.2, this template stopped working. I have traced 
the problem to some html added as link text. Specifically, an element (in 
this case Hydrogen) is represented by:

[[Hydrogen |<div style="filter:alpha(opacity=99);
-moz-opacity:.99; opacity:.99;
border-bottom:1px solid #fff;
border-left:1px solid #fff;
border-top:1px solid #fff;
border-right:1px solid #fff; background-color:#333">
</div> ]]

When I inspect the output html at the browser, the output div is:

<div style="/* insecure input */" ...

When I remove "filter:alpha(opacity=99);" from the link text, things work 
fine (at least on FF and Safari). Investigating, it seems the 
"filter:alpha(opacity=99);" attribute is an IE specific opacity setting.

I am attempting to fix this problem, but I don't know where the "/* 
insecure input */" value is generated. Is it in the parser? Is by the 
browser? Somewhere else? Is there some global I can set to eliminate this 
behavior? Is the value "filter:alpha(opacity=99);" obsolete, 
necessitating it to be changed to something else?

-- Dan Nessett

More information about the MediaWiki-l mailing list