For MediaWiki (recent comments | status changes | tags | authors | states | release notes | statistics)
Parser tests need updated.
9 previously passing test(s) now FAILING! :(
r66990 appears to have made transparency [filter: alpha(opacity=70);] impossible on some browsers.
The filter property is insecure and can lead to complete compromise of the client computer, see http://seclists.org/bugtraq/2010/May/228
Could we not specifically restrict 'ICMFilter' instead?
No. AlphaImageLoader is also a security vulnerability, it allows users to load arbitrary URLs without requiring the blacklisted url() markup. The potential for similar security vulnerabilities is unlimited. IE extensions may define their own filter objects, MSDN provides complete documentation and tutorials explaining how to do this. And Microsoft may add new filters in future versions of IE which open up new security vulnerabilities.
We would have to parse it and whitelist certain "known-good" filters instead, which would be challenging since the format of the filter property appears to be undocumented, and is subject to change. I'd rather spend my time working on better standards-compliance.
CSS 3 has an opacity property which does what you want to do, you should use that instead. It works on all browsers except one.
Marking new since the parser tests were fixed in r67101.
There was no activity on this CR revision and it got merge to trunk.
Could we assume it as "ok" ?
It's been running on WMF for six months; if there were a regression obvious enough to spot in CR, someone would have seen it by now.