Description

Style attribute can contain javascript, executed by IE.

Example

• ../Sanitize style/Example 1

• ../Sanitize style/Example 2

There are more example here: http://feedparser.org/docs/html-sanitization.html

Component selection

parser/html formatter.

Details

Server: MoinMoin 1.3 and later.

Browsers:

• IE7 WinXPHome Sp2 - first example safe, second redirects
• Safari 2.0.4 - safe
• Firefox 2.0.0.3 / OS X - safe

Workaround

Disable table style handling in the MoinMoin/formatter/text_html.py.

Discussion

Since only html in tables is the security issue: Disable the ability to use (besides the normal Moin syntax) also normal html markup in tabels. Why?

• Html markup is a security problem
• Html markup is too complicated for most users and not "wiki-like"
• The resulting tables using html markup are - considered from an accessibilities point of view - mostly nonsense:

  • HTML markup is used to align stuff e.g picuters. It is one criteria for accessible site that they avoid to use tables for layout sake's. We should use Nir's SectionParser for that or the div-wrapper of the Moin parser in 1.6

  • HTML markup could be used to built complex tables (rowspan, colspan..). However these tables are mostly inaccessible for screenreaders (just see the examples given on HelpOnTables. Mostly inaccessible).

  • The ability to set your own colors does not only ruin the corporate design of your wiki, it does also lead to another accessibility problem: the contrast between background color and text color could be too low. This could only be avoided if the (data)table style is set in the css correctly and could not be changed by the users.
• Last but not least: It's not a big job to disable html markup(?)

To conclude: In my eyes on the one hand you can do too much with html table markup (and mostly the wrong things) while on the other hand important things like the ability to mark tableheaders <th>, provide labels, a table summary etc (so that blind users can easily work with and navigate in tables) are missing completely. -- OliverSiemoneit 2007-04-15 16:33:38

• Open a feature request for adding the important and missing table headers.

Is that a IE bug or is that covered by html/css standards?

• This seems to be mainly an IE bug, however actively generated content on runtime by css is part of css2 http://www.w3.org/TR/REC-CSS2/generate.html -- OliverSiemoneit 2007-04-16 20:19:47

Plan

• Priority:
• Assigned to:
• Status:

CategoryMoinMoinBug