[pmwiki-users] WikiStyles refactored, can use testing
Petko Yotov
5ko at 5ko.fr
Sun Nov 20 14:04:51 PST 2022
Hello,
I am working on progressively removing the core requirement for inline
JavaScript and styles. This would allow wikis to enable a more strict
Content-Security-Policy, without 'unsafe-inline'. This in turn reduces
the chances for cross-site scripting (XSS) vulnerabilities.
I have refactored the core WikiStyles to replace all inline styles in
the text with CSS class names, generated on the fly, and added to the
header <style> element.
So where before %red%red text%% produced something like:
<span style="color:red;">red text</span>
it will now produce something like:
<span class="-pm--1">red text</span>
with the declaration in the HTML header <style> element:
.-pm--1 { color:red; }
I'd like to invite you to try the new functions (enabled on pmwiki.org)
and notify me if you find any bugs or omissions.
If you use custom WikiStyles on your wiki, you can test the pre-release,
and report if you notice any problems.
You can get the pre-release as usual via Subversion, or from the
ChangeLog page:
https://www.pmwiki.org/wiki/PmWiki/ChangeLog
For this specific feature, only the following files changed:
scripts/wikistyles.php
To test it, you can simply replace this file from the pre-release to
your installation.
I'll normally be releasing the next version 2.3.15 in early December. If
any bugs are reported to me in the meantime, I may have the chance to
fix them in time.
Note: This only concerns WikiStyles (>>...<< or %...%). For the moment
it excludes inline CSS in the HTML attribute style="..." which can be
manually added to tables, division blocks, forms and some other
directives.
Thanks,
Petko
More information about the pmwiki-users
mailing list