Last modified: 2007-02-02 18:56:10 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T10795, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 8795 - InputBox extension not producing valid XHTML
InputBox extension not producing valid XHTML
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
InputBox (Other open bugs)
unspecified
Other other
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-27 19:32 UTC by Jools Wills
Modified: 2007-02-02 18:56 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Patch for inputbox (4.32 KB, patch)
2007-01-27 19:32 UTC, Jools Wills 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Jools Wills 2007-01-27 19:32:15 UTC 
The input box does not produce xhtml strict markup. Attached is a patch 
which removes the tables, stops mediawiki inserting <p></p> into the form 
and breaking validation and a conversion of the bgcolor="" to style="" and 
allowing styles to be passed into the extension.

I read on another bug that my style change could lead to a cross site 
javascript vulnerability?  But wouldn't this also be the case for bgcolor?

Anyway.. this patch works for me. Feel free to improve any potential 
problems
Comment 1 Jools Wills 2007-01-27 19:32:50 UTC 
Created attachment 3148 [details]
Patch for inputbox
Comment 2 Brion Vibber 2007-02-02 18:37:30 UTC 
MediaWiki does not use XHTML Strict, but Transitional.
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-02-02 18:52:22 UTC 
Unquoted attributes aren't valid there, either (indeed, IIRC they aren't even valid in HTML 4 
except for numbers).  The rest of the patch is still INVALID, though.

By the way, the issue with allowing arbitrary style on elements is that IE will accept 
JavaScript in CSS, as I understand it.  It also allows offsite background-images, which we tend 
to frown on in MediaWiki.
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-02-02 18:56:10 UTC 
Should be valid XHTML Transitional as of r19729.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links