[Mediawiki-l] div style = "/* insecure input */"

Tim Starling tstarling at wikimedia.org
Fri Apr 29 01:23:30 UTC 2011


On 29/04/11 04:50, Brion Vibber wrote:
> But that's not why it's being stripped: various little CSS extensions like
> 'expression', xbl bindings, and IE's 'filter's are potentially unsafe,
> though it's unclear to me at the moment exactly how dangerous the filters
> are as I haven't looked at it in ages (is the set of filters open-ended or
> fixed? do any of them allow loading offsite content or executing JS code?)

See the comments on

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66990

The set of filters is open-ended, and can be extended by IE plugins.
Microsoft has shown precisely zero interest in fixing the serious
security vulnerability I found in ICMFilter, which suggests that they
will have no qualms about adding more security vulnerabilities
accessible via filter rules. The format of the filter string is
complex and not precisely documented, so whitelisting opacity would be
non-trivial even if we wanted to do it.

-- Tim Starling




More information about the MediaWiki-l mailing list