Last modified: 2007-02-02 18:56:10 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 8795 - InputBox extension not producing valid XHTML
InputBox extension not producing valid XHTML
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
InputBox (Other open bugs)
unspecified
Other other
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-27 19:32 UTC by Jools Wills
Modified: 2007-02-02 18:56 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Patch for inputbox (4.32 KB, patch)
2007-01-27 19:32 UTC, Jools Wills
Details

Description Jools Wills 2007-01-27 19:32:15 UTC
The input box does not produce xhtml strict markup. Attached is a patch 
which removes the tables, stops mediawiki inserting <p></p> into the form 
and breaking validation and a conversion of the bgcolor="" to style="" and 
allowing styles to be passed into the extension.

I read on another bug that my style change could lead to a cross site 
javascript vulnerability?  But wouldn't this also be the case for bgcolor?

Anyway.. this patch works for me. Feel free to improve any potential 
problems
Comment 1 Jools Wills 2007-01-27 19:32:50 UTC
Created attachment 3148 [details]
Patch for inputbox
Comment 2 Brion Vibber 2007-02-02 18:37:30 UTC
MediaWiki does not use XHTML Strict, but Transitional.
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-02-02 18:52:22 UTC
Unquoted attributes aren't valid there, either (indeed, IIRC they aren't even valid in HTML 4 
except for numbers).  The rest of the patch is still INVALID, though.

By the way, the issue with allowing arbitrary style on elements is that IE will accept 
JavaScript in CSS, as I understand it.  It also allows offsite background-images, which we tend 
to frown on in MediaWiki.
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-02-02 18:56:10 UTC
Should be valid XHTML Transitional as of r19729.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links