Project Information
- Name of tool/project: TemplateStyles
- Project home page: https://www.mediawiki.org/wiki/Extension:TemplateStyles
- Name of team requesting review: n/a
- Primary contact: @coren
- Target date for deployment: Some time after the security review :-)
- Link to code repository / patchset: https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/extensions/TemplateStyles
Description of the tool/project
Extension to allow per-template styling in Mediawiki. Result of the discussion at T483.
Description of how the tool will be used at WMF
The intent is to deploy the extension to production wikis.
Dependencies
No dependencies beyond core >= 1.25.0
Has this project been reviewed before?
Not beyond the code review at project creation.
Working test environment
http://ts.wmflabs.org/w/index.php/Main_Page has a test wiki where the extension is deployed and tests have been conducted. A test environment requires nothing but a 1.25+ MW install and TemplateStyles loaded with wfLoadExtension().
Post-deployment
I'll remain around to maintain the extension for the foreseeable future, but I expect there might be a desire to eventually fold this functionality into core.
Notes
In addition to the usual security consideration, this extension extends the right to affect style sheets to all editors, by design, so there are a number of points we want to make certain of:
- UI elements should not be style-able by this method;
- no injection of non-CSS elements can be made to the rendered page;
- there exists no way for user-provided styles to run javascript (some CSS properties and values are known to be able to do this in several older browsers); and
- there exists no way for user-provided styles to cause the browser to fetch from an external resource.
Additionally, we will want to create a policy in terms of a blacklist and whitelist combination which will implement the security requirements we have.