wikimedia/mediawiki-extensions-TemplateStyles

Fork 0

mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateStyles synced 2024-11-15 11:59:52 +00:00

Commit graph

Author	SHA1	Message	Date
Brad Jorsch	5fd77aa0d7	Update css-sanitizer to v1.0.2 Also fold a unit test into the normal function since we don't have to have two valid responses based on css-sanitizer version. Change-Id: I107c8b911781924ce9cc0730257243b9cb1592a6	2017-06-13 17:09:48 -04:00
Brad Jorsch	b04bd96f58	SECURITY: Reject stylesheets containing "</style" Premature closing of the style block === HTML injection vector. Bug: T167812 Change-Id: I34c5f200c689a56d340bce70ffebbf58d27b499e	2017-06-13 11:52:07 -04:00
Brad Jorsch	b301a30abf	Use wikimedia/css-sanitizer, and rewrite the hooking wikimedia/css-sanitizer provides a real CSS parser, which should be safer than poking at things with regular expressions. Instead of the strange hybrid model that tried to both process inline CSS and save CSS when the template is saved, it now looks for <templatestyles src="Title" /> during the parse to do all the transclusion of styles. The output method is "<style> tags in the body", pending someone implementing T160563. It now also registers a "sanitized-css" content model, which should pick up the CSS syntax highlighting and will validate the submitted CSS on submit and prevent a save if it's not valid. This patch also takes advantage of LGPL-2.x § 3 to relicense the extension as GPL-2.0+, although at this point none of the LGPL code remains anyway. Bug: T133408 Bug: T136054 Bug: T135788 Bug: T135789 Change-Id: I993e6f18d32a43aac8398743133d227b05133bbd Depends-On: If4eb5bf71f94fa366ec4eddb6964e8f4df6b824a	2017-06-07 15:14:09 +00:00

Author

SHA1

Message

Date

Brad Jorsch

5fd77aa0d7

Update css-sanitizer to v1.0.2

Also fold a unit test into the normal function since we don't have to
have two valid responses based on css-sanitizer version.

Change-Id: I107c8b911781924ce9cc0730257243b9cb1592a6

2017-06-13 17:09:48 -04:00

Brad Jorsch

b04bd96f58

SECURITY: Reject stylesheets containing "</style"

Premature closing of the style block === HTML injection vector.

Bug: T167812
Change-Id: I34c5f200c689a56d340bce70ffebbf58d27b499e

2017-06-13 11:52:07 -04:00

Brad Jorsch

b301a30abf

Use wikimedia/css-sanitizer, and rewrite the hooking

wikimedia/css-sanitizer provides a real CSS parser, which should be
safer than poking at things with regular expressions.

Instead of the strange hybrid model that tried to both process inline
CSS and save CSS when the template is saved, it now looks for
<templatestyles src="Title" /> during the parse to do all the
transclusion of styles.

The output method is "<style> tags in the body", pending someone
implementing T160563.

It now also registers a "sanitized-css" content model, which should pick
up the CSS syntax highlighting and will validate the submitted CSS on
submit and prevent a save if it's not valid.

This patch also takes advantage of LGPL-2.x § 3 to relicense the
extension as GPL-2.0+, although at this point none of the LGPL code
remains anyway.

Bug: T133408
Bug: T136054
Bug: T135788
Bug: T135789
Change-Id: I993e6f18d32a43aac8398743133d227b05133bbd
Depends-On: If4eb5bf71f94fa366ec4eddb6964e8f4df6b824a

2017-06-07 15:14:09 +00:00

3 commits