[Mediawiki-l] div style = "/* insecure input */"

Brion Vibber brion at pobox.com
Thu Apr 28 18:50:05 UTC 2011


On Thu, Apr 28, 2011 at 11:29 AM, Dan Nessett <dnessett at yahoo.com> wrote:

> When I inspect the output html at the browser, the output div is:
>
> <div style="/* insecure input */" ...
>
> When I remove "filter:alpha(opacity=99);" from the link text, things work
> fine (at least on FF and Safari). Investigating, it seems the
> "filter:alpha(opacity=99);" attribute is an IE specific opacity setting.
>
> I am attempting to fix this problem, but I don't know where the "/*
> insecure input */" value is generated. Is it in the parser? Is by the
> browser? Somewhere else? Is there some global I can set to eliminate this
> behavior?


Sanitizer::checkCss(). There are no settings available to control this, it's
just part of the hardcoded filters.

Is the value "filter:alpha(opacity=99);" obsolete,
> necessitating it to be changed to something else?
>

Well, it is obsolete in two senses: current versions of IE (9+) do not
require it as they support CSS's native opacity, and slightly older versions
of IE (7/8...?) actually specify a slightly different syntax for the filter
spec and don't always recognize the old IE 4 style you're using:
http://www.quirksmode.org/css/opacity.html

But that's not why it's being stripped: various little CSS extensions like
'expression', xbl bindings, and IE's 'filter's are potentially unsafe,
though it's unclear to me at the moment exactly how dangerous the filters
are as I haven't looked at it in ages (is the set of filters open-ended or
fixed? do any of them allow loading offsite content or executing JS code?)


If you need to maintain support on old IEs that don't understand standard
opacity, the simplest thing you can do here is to move some of your styles
from inline attributes to global CSS that you can stick on in the
MediaWiki:Common.css (or use the CSS extension to include it in a <style> on
pages using the templates).

Not only will this avoid hitting the standard content safety filters within
the wiki templates, it'll reduce the overall weight of your page.

-- brion


More information about the MediaWiki-l mailing list