r65286 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r65285‎ \| r65286 \| r65287 >
Date:	18:44, 19 April 2010
Author:	simetrical
Status:	ok (Comments)
Tags:
Comment:	Create $wgAllowImageTag to whitelist <img> I could have reused $wgAllowExternalImages, but that's . . . rather ugly. It makes some external links mysteriously behave differently, and of course doesn't allow setting attributes.
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/DefaultSettings.php (modified) (history) /trunk/phase3/includes/Sanitizer.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/Sanitizer.php
—	—	@@ -389,6 +389,12 @@
390	390	'li',
391	391	);
392	392
	393	+ global $wgAllowImageTag;
	394	+ if ( $wgAllowImageTag ) {
	395	+ $htmlsingle[] = 'img';
	396	+ $htmlsingleonly[] = 'img';
	397	+ }
	398	+
393	399	$htmlsingleallowed = array_unique( array_merge( $htmlsingle, $tabletags ) );
394	400	$htmlelementsStatic = array_unique( array_merge( $htmlsingle, $htmlpairsStatic, $htmlnest ) );
395	401
—	—	@@ -1403,8 +1409,9 @@
1404	1410
1405	1411	# 13.2
1406	1412	# Not usually allowed, but may be used for extension-style hooks
1407		~~- # such as <math> when it is rasterized~~
1408		~~- 'img' => array_merge( $common, array( 'alt' ) ),~~
	1413	+ # such as <math> when it is rasterized, or if $wgAllowImageTag is
	1414	+ # true
	1415	+ 'img' => array_merge( $common, array( 'alt', 'src' ) ),
1409	1416
1410	1417	# 15.2.1
1411	1418	'tt' => $common,
Index: trunk/phase3/includes/DefaultSettings.php
—	—	@@ -1909,6 +1909,16 @@
1910	1910	*/
1911	1911	$wgEnableImageWhitelist = true;
1912	1912
	1913	+/**
	1914	+ * A different approach to the above: simply allow the <img> tag to be used.
	1915	+ * This allows you to specify alt text and other attributes, copy-paste HTML to
	1916	+ * your wiki more easily, etc. However, allowing external images in any manner
	1917	+ * will allow anyone with editing rights to snoop on your visitors' IP
	1918	+ * addresses and so forth, if they wanted to, by inserting links to images on
	1919	+ * sites they control.
	1920	+ */
	1921	+$wgAllowImageTag = false;
	1922	+
1913	1923	/** Allows to move images and other media files */
1914	1924	$wgAllowImageMoving = true;
1915	1925
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -23,6 +23,7 @@
24	24	extensions has been removed.
25	25	* $wgLogAutocreatedAccounts controls whether autocreation of accounts is logged
26	26	to new users log.
	27	+* $wgAllowImageTag can be set to true to whitelist the <img> tag in wikitext.
27	28
28	29	=== New features in 1.17 ===
29	30	* (bug 10183) Users can now add personal styles and scripts to all skins via

Follow-up revisions

Revision	Commit summary	Author	Date
r65337	Follow up r65286. If we are going to support <img we should support width and...	platonides	19:04, 20 April 2010

Comments

#Comment by Platonides (talk | contribs) 19:04, 20 April 2010

I don't feel this to be right. Maybe it should be an argument to an array, perhaps it should be a parameter to the square brackets...

#Comment by Simetrical (talk | contribs) 16:38, 21 April 2010

I'm not sure what you mean. Could you clarify?

#Comment by C.wrinn (talk | contribs) 22:10, 21 April 2010

Shouldn't this be tied into $wgAllowExternalImagesFrom somehow? I'd do it if I could recall where in the code it'd be most appropriate.

#Comment by Simetrical (talk | contribs) 22:53, 21 April 2010

Good idea, I should do that.

#Comment by Simetrical (talk | contribs) 00:18, 26 April 2010

Okay, I have an implementation written, but I realized it's pretty messy. Setting $wgAllowExternalImagesFrom would also implicitly enables $wgAllowExternalImages for the whitelisted URLs, so it would behave somewhat unexpectedly if you just wanted to allow image tags but not bare links turning into images. So I haven't committed this.

Status & tagging log

09:46, 31 August 2010 Tim Starling (talk | contribs) changed the status of r65286 [removed: new added: ok]