Page MenuHomePhabricator
Create Task
Maniphest T163583

<video>/<source>/<track> sanitization for media
Open, MediumPublic
Actions

Description

Parsoid and TimedMediaHandler emit <video>, <source>, and <track> elements for audio/video content. These currently bypass the sanitizer on PHP side because they come from the TimedMediaHandler extension, and AIUI all extension content bypasses the sanitizer.

Parsoid generates this markup directly, and I believe the intent is for the A/V support to migrate to core eventually. So we should update the sanitizer to allow the necessary elements and attributes.

@Arlolra already wrote a patch for this: https://gerrit.wikimedia.org/r/349432

Filing this in phab for security review. If the security team would like to solve this a different way (for example, by simply bypassing the sanitizer for media markup, as we are currently doing in PHP) instead of merging @Arlolra's patch, then we need to update Parsoid to match; this task would then track the Parsoid work as well.

Details

SubjectRepoBranchLines /-
Synchronize allowed attributes for <audio> with Parsoid/TimedMediaHandlermediawiki/coremaster 2 -1
Match Parsoid's attribute sanitization for video elementsmediawiki/coremaster 5 -1
Customize query in gerrit

Related Objects

Event Timeline

cscott created this task.Apr 21 2017, 8:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 21 2017, 8:25 PM
gerritbot subscribed.Apr 21 2017, 8:25 PM

Change 349432 had a related patch set uploaded (by C. Scott Ananian; owner: Arlolra):
[mediawiki/core@master] Match Parsoid's attribute sanitization for video elements

https://gerrit.wikimedia.org/r/349432

gerritbot added a project: Patch-For-Review.Apr 21 2017, 8:25 PM
Arlolra added a comment.May 5 2017, 11:22 AM

Also see T126618

gerritbot added a comment.May 21 2017, 11:57 AM

Change 349432 merged by jenkins-bot:
[mediawiki/core@master] Match Parsoid's attribute sanitization for video elements

https://gerrit.wikimedia.org/r/349432

ReleaseTaggerBot added a project: MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)).May 21 2017, 12:00 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
gerritbot added a comment.Apr 22 2019, 5:07 PM

Change 505644 had a related patch set uploaded (by C. Scott Ananian; owner: C. Scott Ananian):
[mediawiki/core@master] Synchronize allowed attributes for <audio> with Parsoid/TimedMediaHandler

https://gerrit.wikimedia.org/r/505644

gerritbot added a comment.Apr 26 2019, 7:10 PM

Change 505644 merged by jenkins-bot:
[mediawiki/core@master] Synchronize allowed attributes for <audio> with Parsoid/TimedMediaHandler

https://gerrit.wikimedia.org/r/505644

Aklapper removed a project: Security-Core.Nov 27 2019, 12:42 PM
Aklapper removed projects: acl*security, MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)), Patch-For-Review, TimedMediaHandler, MediaWiki-Parser.Nov 27 2019, 1:30 PM
Aklapper edited projects, added acl*security, Patch-For-Review, TimedMediaHandler, MediaWiki-Parser, MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)); removed Security-Extensions.Dec 2 2019, 1:01 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 5:18 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
brooke moved this task from To sort to Backlog/maint on the TimedMediaHandler board.Feb 18 2022, 6:34 PM
Pppery removed a project: Patch-For-Review.Apr 9 2023, 8:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits