--- Comment #71 from Wes Turner <> ---
(In reply to comment #69)
> (In reply to comment #67)
> > ... Looking at makeFooterIcon() in includes/Skin.php (I had 'tested' the raw
> > HTML w/ Chrome): is there a fancy way to specify inline CSS style attributes
> > (like background-image, width, height, and display) with Html::element or
> > Html::rawElement? (Which templating library is this?)
> Nope, we don't have such a thing right now. And you'll probably want to
> consider using the css sanitizing method inside Sanitize:: for stuff besides
> the background image and checking that nothing tries crossing a ;.

It's been awhile since I've written any PHP; I'll have to lookup what
htmlspecialchars does again. Are there test cases for these? It may be better
for someone familiar with the input sanitization codebase to tkae it from here.

Where in the docs would I look for 'trusted' configuration settings? Can these
variables be modified?

It looks like Sanitizer::validateAttributes would call Sanitizer::checkCss on
the style property; but the docstrings for Sanitizer::checkCss specify:

    * Currently URL references, 'expression', 'tps' are forbidden.

so I suppose the following would be needed:

* background-image: '";>
* width: safeEncodeAttribute
* height: safeEncodeAttribute

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to