Page MenuHomePhabricator
Create Task
Maniphest T308160

Uncensor use of "filter" CSS property on wikitext pages
Closed, ResolvedPublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):
Allow usage of the filter CSS property on pages with a content model other than sanitized-css. Specifically, in the style attribute of elements.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
I tried to make the Ditto sprite in a userbox at bulba:User:Bfdifan2006 yellow by wrapping it with a div whose filter is hue-rotate(135deg), but MediaWiki blocked the property stating it's insecure (by changing it to /* insecure input */. I actually commented it out in the wikitext.

Benefits (why should this be implemented?):
This could come useful for wikis that are a bit too reluctant to adopt TemplateStyles, and also for users that are a bit confused about the extension's functionality.

This was blocked in 2010 for security reasons since at that time, Internet Explorer had its own insecure version of filter that was unrelated to the later W3C property (more information), but the IE property was deprecated in version 9 and removed from the core in version 10. The browser is going to lose Microsoft support soon due to the success of the Blink-based Microsoft Edge.

It was not a W3C-compatible property, it used a different syntax. However, the W3C-compatible property is safe.

A showcase of this property failing can be found here.

Details

Subject Repo Branch Lines +/-
Bump wikimedia/parsoid to 0.19.0-a23 mediawiki/vendor master +209 -79
Allow filter: in inline CSS mediawiki/services/parsoid master +0 -11
Allow filter: in inline CSS. mediawiki/core master +1 -11
Customize query in gerrit

Related Objects

Event Timeline

Keyacom created this task.May 11 2022, 4:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 11 2022, 4:32 PM
Keyacom renamed this task from Uncensor use of "filter" CSS property on wikitext and plain text pages to Uncensor use of "filter" CSS property on wikitext pages.May 11 2022, 4:32 PM
Keyacom updated the task description. (Show Details)May 11 2022, 5:09 PM
ashley subscribed.May 11 2022, 5:18 PM

Maybe a duplicate of T300781?
Keyacom added a comment.May 11 2022, 6:45 PM

Not exactly. I am talking about its use in the style attribute on wikitext pages, not on sanitized-css pages.
Keyacom added a comment.May 11 2022, 6:49 PM

Also, yes, I did forget to assign this to projects, but it's because I didn't know which projects it should be assigned to.
Keyacom added a project: CSS.May 11 2022, 6:51 PM
Aklapper added a project: css-sanitizer.May 12 2022, 4:29 AM
Izno edited projects, added MediaWiki-General; removed css-sanitizer.EditedMay 16 2022, 10:08 PM
Izno subscribed.

filter is explicitly disallowed in Sanitizer::checkCSS. I think this request should be rejected.
Keyacom added a comment.May 18 2022, 7:49 AM

I don't think it should be. The filter property should be allowed, but I think you're concerned about the url() value, which should remain censored.
SnorlaxMonster mentioned this in T302062: Inline CSS filter attribute considered "insecure input".Oct 16 2023, 6:03 AM
SnorlaxMonster subscribed.
Aklapper merged a task: T302062: Inline CSS filter attribute considered "insecure input".Dec 27 2023, 3:49 PM
Aklapper added a subscriber: ShakespeareFan00.
Lakejason0 subscribed.Feb 10 2024, 12:18 PM

I do need to use the filter and backdrop-filter properties, I'm for this; and if we are concerning about url(), it's already blocked anyway.
Bawolff subscribed.Feb 11 2024, 12:45 AM

I agree that IE9 is very irrelevant. It should be noted, this is not just about -ms-filter, as older versions of IE also accepted filter without the -ms- prefix.

The discussion around adding filter to the blacklist is at https://static-codereview.wikimedia.org/MediaWiki/66990.html . Definitely valid reasons at the time, but not really relevant anymore.

I support removing filter: from the blacklist (We should still ban url(). We should also be banning src() which i don't think anyone has implemented yet.
Bawolff added a project: Security.Feb 11 2024, 12:45 AM

[tagging security. I'm sure they would want input on potential changes to the sanitizer]
Bawolff added a comment.Feb 11 2024, 12:50 AM

As pointed out elsewhere by stjn, IE8 does not support TLS1.2 by default, so its not just that nobody uses this browser, but even if they did, they would not be able to load WMF sites.
gerritbot added a comment.Feb 11 2024, 1:08 AM

Change 1001280 had a related patch set uploaded (by Brian Wolff; author: Brian Wolff):

[mediawiki/core@master] Allow filter: in inline CSS.

https://gerrit.wikimedia.org/r/1001280
gerritbot added a project: Patch-For-Review.Feb 11 2024, 1:08 AM
Dinoguy1000 updated the task description. (Show Details)Feb 11 2024, 1:09 AM
Winston_Sung subscribed.Feb 12 2024, 3:33 PM
Bawolff added a project: User-notice.Feb 13 2024, 5:48 AM
gerritbot added a comment.Feb 13 2024, 6:24 PM

Change 1001280 merged by jenkins-bot:

[mediawiki/core@master] Allow filter: in inline CSS.

https://gerrit.wikimedia.org/r/1001280
Maintenance_bot removed a project: Patch-For-Review.Feb 13 2024, 6:30 PM
Winston_Sung assigned this task to Bawolff.Feb 13 2024, 7:27 PM
Bawolff closed this task as Resolved.Feb 13 2024, 9:29 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.19; 2024-02-20).Feb 13 2024, 10:00 PM
UOzurumba subscribed.Feb 16 2024, 4:18 AM

Hello @Bawolff, for Tech News - What wording would you suggest as the content, and When should it be included? Thanks!
Bawolff added a comment.EditedFeb 16 2024, 4:57 AM

"The CSS filter keyword can now be used in html style attributes in wikitext".

This patch rides the train (1.42.0-wmf19). It should go out next week i suppose.
UOzurumba added a comment.Feb 16 2024, 5:18 AM
In T308160#9549449, @Bawolff wrote:

"The CSS filter keyword can now be used in html style attributes in wikitext".

This patch rides the train (1.42.0-wmf19). It should go out next week i suppose.

Thank you!
UOzurumba moved this task from To Triage to In current Tech/News draft on the User-notice board.Feb 16 2024, 5:29 AM
stjn awarded a token.Feb 19 2024, 3:55 PM
UOzurumba moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Feb 22 2024, 3:56 PM
Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Mar 3 2024, 4:30 PM
Winston_Sung reopened this task as In Progress.Mar 13 2024, 11:25 AM
Winston_Sung added a project: Parsoid.

Looks like we missed the Parsoid part.
gerritbot added a comment.Mar 13 2024, 10:48 PM

Change 1010995 had a related patch set uploaded (by Arlolra; author: Arlolra):

[mediawiki/services/parsoid@master] Allow filter: in inline CSS

https://gerrit.wikimedia.org/r/1010995
gerritbot added a project: Patch-For-Review.Mar 13 2024, 10:48 PM
gerritbot added a comment.Mar 14 2024, 12:34 AM

Change 1010995 merged by jenkins-bot:

[mediawiki/services/parsoid@master] Allow filter: in inline CSS

https://gerrit.wikimedia.org/r/1010995
Maintenance_bot removed a project: Patch-For-Review.Mar 14 2024, 1:30 AM
Winston_Sung closed this task as Resolved.Mar 14 2024, 2:40 AM
Winston_Sung added subscribers: ssastry, Arlolra.

Thanks @Arlolra , @ssastry !
gerritbot added a comment.Mar 16 2024, 4:24 PM

Change 1011398 had a related patch set uploaded (by C. Scott Ananian; author: C. Scott Ananian):

[mediawiki/vendor@master] Bump wikimedia/parsoid to 0.19.0-a23

https://gerrit.wikimedia.org/r/1011398
gerritbot added a project: Patch-For-Review.Mar 16 2024, 4:24 PM
gerritbot added a comment.Mar 16 2024, 7:13 PM

Change 1011398 merged by jenkins-bot:

[mediawiki/vendor@master] Bump wikimedia/parsoid to 0.19.0-a23

https://gerrit.wikimedia.org/r/1011398
Maintenance_bot removed a project: Patch-For-Review.Mar 16 2024, 7:30 PM
SnorlaxMonster mentioned this in T41662: Allow -webkit-filter CSS.Mar 27 2024, 1:24 PM
Tgr merged a task: T41662: Allow -webkit-filter CSS.Mar 27 2024, 1:52 PM
Tgr added subscribers: Yair_rand, Tgr, D41D8CD98F.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL