Last modified: 2014-11-17 10:35:47 UTC
I made a sample here http://en.wikipedia.org/w/index.php? title=User:SakotGrimshine/buggycode&oldid=101395999 It's some crap Encyclopedia Dramatica is spamming on lots of wikis. I replaced the foul language in it with things like "buggycode" and I'd rather not link to their website. Try viewing the sample I gave in different web browsers as it gets worse depending on which used. It would be good to fix page rendering so this code doesn't work.
This should be all on one line: http://en.wikipedia.org/w/index.php?title=User:SakotGrimshine/buggycode&oldid=101395999
This is quite a common form of vandalism, and I suppose we could block it with $wgSpamRegex on Wikimedia sites, though it would just encourage further variants. Two solutions here; either continue to revert it, or we could consider blacklisting further CSS attributes, such as z-index etc.
Should we disable the value 'position:fixed' in the sanitizer ?
There's not really any reason to allow position: fixed in article content, probably, but this could easily be just as disruptive with position: absolute or relative or whatever. Any of those could overwrite stuff outside the article box. But absolute and relative positioning are standard, useful CSS properties. Silly vandalism like this can be dealt with easily enough. I suggest WONTFIX.
People seem to use this or some other funky HMTL code to give themselves messed up user and talk pages with buttons and links outside the normal text window.
Well, this would break [[Template:Featured article]], [[Template:Pp-semi-protected]], [[Template:Spoken]], and others, to name a few.
... So build-in functionality to make those sorts of icons in the top right of articles. This functionality needs to be removed. The potential for abuse is too great; I'm surprised it hasn't been used maliciously yet. See, for example, http://en.wikipedia.org/wiki/User:Mark/temp The form at the destination there just leads right back to Wikipedia, but it could just as easily be used to silently capture usernames and passwords for unspecified future abuse.
Come now, separation of code and presentation would be good. At a minimum we could allow the introduction of fancy positioning stuff via items in MediaWiki namespace... this would preserve the operation of sane site wide things, and prevent the introduction of ugly one-offs that tend to have poor usability or violate the principle of least surprise.
Take a look at, for instance, the link created by ImageMap to the source image's page. That uses absolute positioning. Yes, separating content and markup is good, but it's not really practical at present while permitting reasonably flexible formatting, since it's so much slower to have to get sysops involved. Banning these properties entirely is overkill. What should be prevented is overlaying anything on top of interface elements; that's bug 9526, and should be possible to accomplish without resorting to this.
Would there be any way of preventing such absolute positioning from putting stuff beyond the left hand side of the article area, or above the bottom of the tabs? The main concern is preventing all those links from being hijacked. People using this for horrendous unaesthetic user pages is a secondary matter.
That's exactly my point. See bug 9526 for a proposed solution.
*** Bug 14346 has been marked as a duplicate of this bug. ***
*** Bug 9526 has been marked as a duplicate of this bug. ***
*** Bug 7303 has been marked as a duplicate of this bug. ***
May also be a good idea to blacklist the 'overflow' attrib. as well. See Bug 14346 for examples of disruption using this attribute.
*** Bug 15066 has been marked as a duplicate of this bug. ***
