--- Comment #5 from Bartosz DziewoƄski <> ---
(In reply to Chris Steipp from comment #0)
> The only thing I'd really like to see changed is in
> php/widgets/InputWidget.php, the "sanitizeValue" function doesn't do any
> (security) sanitization, which I think that could cause confusion later on.
> If the name can't be changed, maybe make the comments explicit that it's not
> security sanitization?

> It would also be nice to have some extra sanitization built in from the
> start, which we can't do in the Html/Xml classes since they're abused in odd
> ways, but have bitten some developers (SemanticForms had bunch of issues
> because they assumed these happened):
> * Validate tag name will be parsed in html as a single tag name-- so doesn't
> contain whitespace, /, >, or null.
> * Validate attribute names don't contain whitespace, /, =, >
> * Validate that form actions and button hrefs aren't javascript: urls (dependency) (dependency)

> There are also a couple of places you're adding style attributes directly.
> Is it possible to avoid that? My long-term plan is to have MediaWiki set a
> Content Security Policy that doesn't allow inline css, so I'd prefer to not
> introduce new uses of it, if possible.

So in the end, there are only three such places in PHP code:

* LabelElement. This one already came up earlier as a code quality
  issue, actually. Should be fixable, but preferably not right now :)
  Filed bug 73677 so it's not forgotten.
* GridLayout. Alas, inline styles are a core part of how it works and
  the only way to fix it would be to remove the class entirely.
* widgets.php demo, where it's used on a GridLayout (and is also

You are receiving this mail because:
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to