Last modified: 2007-02-02 18:56:10 UTC
The input box does not produce xhtml strict markup. Attached is a patch which removes the tables, stops mediawiki inserting <p></p> into the form and breaking validation and a conversion of the bgcolor="" to style="" and allowing styles to be passed into the extension. I read on another bug that my style change could lead to a cross site javascript vulnerability? But wouldn't this also be the case for bgcolor? Anyway.. this patch works for me. Feel free to improve any potential problems
Created attachment 3148 [details] Patch for inputbox
MediaWiki does not use XHTML Strict, but Transitional.
Unquoted attributes aren't valid there, either (indeed, IIRC they aren't even valid in HTML 4 except for numbers). The rest of the patch is still INVALID, though. By the way, the issue with allowing arbitrary style on elements is that IE will accept JavaScript in CSS, as I understand it. It also allows offsite background-images, which we tend to frown on in MediaWiki.
Should be valid XHTML Transitional as of r19729.