https://bugzilla.wikimedia.org/show_bug.cgi?id=73156
--- Comment #5 from Bartosz DziewoĆski <[email protected]> --- (In reply to Chris Steipp from comment #0) > The only thing I'd really like to see changed is in > php/widgets/InputWidget.php, the "sanitizeValue" function doesn't do any > (security) sanitization, which I think that could cause confusion later on. > If the name can't be changed, maybe make the comments explicit that it's not > security sanitization? https://gerrit.wikimedia.org/r/174815 https://gerrit.wikimedia.org/r/174814 > It would also be nice to have some extra sanitization built in from the > start, which we can't do in the Html/Xml classes since they're abused in odd > ways, but have bitten some developers (SemanticForms had bunch of issues > because they assumed these happened): > * Validate tag name will be parsed in html as a single tag name-- so doesn't > contain whitespace, /, >, or null. > * Validate attribute names don't contain whitespace, /, =, > > * Validate that form actions and button hrefs aren't javascript: urls https://gerrit.wikimedia.org/r/174835 https://gerrit.wikimedia.org/r/174833 (dependency) https://gerrit.wikimedia.org/r/174834 (dependency) > There are also a couple of places you're adding style attributes directly. > Is it possible to avoid that? My long-term plan is to have MediaWiki set a > Content Security Policy that doesn't allow inline css, so I'd prefer to not > introduce new uses of it, if possible. So in the end, there are only three such places in PHP code: * LabelElement. This one already came up earlier as a code quality issue, actually. Should be fixable, but preferably not right now :) Filed bug 73677 so it's not forgotten. * GridLayout. Alas, inline styles are a core part of how it works and the only way to fix it would be to remove the class entirely. * widgets.php demo, where it's used on a GridLayout (and is also necessary). -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
