Uncensor use of "filter" CSS property on wikitext pages
Closed, ResolvedPublicFeature
Actions

Assigned To

Authored By

	Keyacom
	May 11 2022, 4:32 PM

Description

Feature summary (what you would like to be able to do and where):
Allow usage of the filter CSS property on pages with a content model other than sanitized-css. Specifically, in the style attribute of elements.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
I tried to make the Ditto sprite in a userbox at bulba:User:Bfdifan2006 yellow by wrapping it with a div whose filter is hue-rotate(135deg), but MediaWiki blocked the property stating it's insecure (by changing it to /* insecure input */. I actually commented it out in the wikitext.

Benefits (why should this be implemented?):
This could come useful for wikis that are a bit too reluctant to adopt TemplateStyles, and also for users that are a bit confused about the extension's functionality.

This was blocked in 2010 for security reasons since at that time, Internet Explorer had its own insecure version of filter that was unrelated to the later W3C property (more information), but the IE property was deprecated in version 9 and removed from the core in version 10. The browser is going to lose Microsoft support soon due to the success of the Blink-based Microsoft Edge.

It was not a W3C-compatible property, it used a different syntax. However, the W3C-compatible property is safe.

A showcase of this property failing can be found here.

Details

Subject	Repo	Branch	Lines +/-
Bump wikimedia/parsoid to 0.19.0-a23	mediawiki/vendor	master	+209 -79
Allow filter: in inline CSS	mediawiki/services/parsoid	master	+0 -11
Allow filter: in inline CSS.	mediawiki/core	master	+1 -11

Customize query in gerrit

Related Objects

Mentioned In: T41662: Allow -webkit-filter CSS
T302062: Inline CSS filter attribute considered "insecure input"
Mentioned Here: T300781: Allow using "filter" property in sanitized CSS

Event Timeline

Keyacom created this task.May 11 2022, 4:32 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 11 2022, 4:32 PM

Keyacom renamed this task from Uncensor use of "filter" CSS property on wikitext and plain text pages to Uncensor use of "filter" CSS property on wikitext pages.May 11 2022, 4:32 PM

Keyacom updated the task description. (Show Details)May 11 2022, 5:09 PM

Maybe a duplicate of T300781?

Not exactly. I am talking about its use in the style attribute on wikitext pages, not on sanitized-css pages.

Also, yes, I did forget to assign this to projects, but it's because I didn't know which projects it should be assigned to.

Keyacom added a project: CSS.May 11 2022, 6:51 PM

Aklapper added a project: css-sanitizer.May 12 2022, 4:29 AM

filter is explicitly disallowed in Sanitizer::checkCSS. I think this request should be rejected.

I don't think it should be. The filter property should be allowed, but I think you're concerned about the url() value, which should remain censored.

SnorlaxMonster mentioned this in T302062: Inline CSS filter attribute considered "insecure input".Oct 16 2023, 6:03 AM

SnorlaxMonster subscribed.

Aklapper merged a task: T302062: Inline CSS filter attribute considered "insecure input".Dec 27 2023, 3:49 PM

Aklapper added a subscriber: ShakespeareFan00.

I do need to use the filter and backdrop-filter properties, I'm for this; and if we are concerning about url(), it's already blocked anyway.

I agree that IE9 is very irrelevant. It should be noted, this is not just about -ms-filter, as older versions of IE also accepted filter without the -ms- prefix.

The discussion around adding filter to the blacklist is at https://static-codereview.wikimedia.org/MediaWiki/66990.html . Definitely valid reasons at the time, but not really relevant anymore.

I support removing filter: from the blacklist (We should still ban url(). We should also be banning src() which i don't think anyone has implemented yet.

[tagging security. I'm sure they would want input on potential changes to the sanitizer]

As pointed out elsewhere by stjn, IE8 does not support TLS1.2 by default, so its not just that nobody uses this browser, but even if they did, they would not be able to load WMF sites.

Change 1001280 had a related patch set uploaded (by Brian Wolff; author: Brian Wolff):

[mediawiki/core@master] Allow filter: in inline CSS.

https://gerrit.wikimedia.org/r/1001280

gerritbot added a project: Patch-For-Review.Feb 11 2024, 1:08 AM

Dinoguy1000 updated the task description. (Show Details)Feb 11 2024, 1:09 AM

Winston_Sung subscribed.Feb 12 2024, 3:33 PM

Bawolff added a project: User-notice.Feb 13 2024, 5:48 AM

Change 1001280 merged by jenkins-bot:

[mediawiki/core@master] Allow filter: in inline CSS.

https://gerrit.wikimedia.org/r/1001280

Maintenance_bot removed a project: Patch-For-Review.Feb 13 2024, 6:30 PM

Winston_Sung assigned this task to Bawolff.Feb 13 2024, 7:27 PM

Bawolff closed this task as Resolved.Feb 13 2024, 9:29 PM

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.19; 2024-02-20).Feb 13 2024, 10:00 PM

Hello @Bawolff, for Tech News - What wording would you suggest as the content, and When should it be included? Thanks!

"The CSS filter keyword can now be used in html style attributes in wikitext".

This patch rides the train (1.42.0-wmf19). It should go out next week i suppose.

In T308160#9549449, @Bawolff wrote:

"The CSS filter keyword can now be used in html style attributes in wikitext".

This patch rides the train (1.42.0-wmf19). It should go out next week i suppose.

Thank you!

UOzurumba moved this task from To Triage to In current Tech/News draft on the User-notice board.Feb 16 2024, 5:29 AM

stjn awarded a token.Feb 19 2024, 3:55 PM

UOzurumba moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Feb 22 2024, 3:56 PM

Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Mar 3 2024, 4:30 PM