[09:59:32] i assume this only allows templatestyles css to be on the mediawiki namespace? [10:00:18] wait no... the check is an &&? [10:14:56] [1/4] https://meta.miraheze.org/wiki/Help_desk?curid=84455&diff=487416&oldid=487413 [10:14:56] [2/4] Here's a user that, even without switching wikis, gets logged out after a few clicks. [10:14:56] [3/4] What can be the cause of that? [10:14:57] [4/4] ```I cleared my cache and cookies, but nothing changed. The same thing happens if I stay on this wiki — after two or three clicks, I get logged out. Neapolitan (talk) 10:11, 24 August 2025 (UTC)``` [10:35:10] this + sanitized-css is no longer sanitized [10:35:24] so it's basically unsanitized per-page css [10:35:42] if it's scoped to the mw namespace, i'd tentatively say it's okay [10:35:44] hacky, sure [10:36:01] but, assuming that the namespace is only editable by safe users, technically safe [10:48:16] yeah [10:48:44] oh wait [10:48:58] this allows people with the editinterface permission to edit unsanitized CSS though [10:49:10] which would be a security vulnerability like i18n XSSs [10:56:26] ah fuck, i forgot about that [12:52:14] That's true but for my use case editinterface == editsitecss [12:53:49] I guess I could check how that editsitecss restriction is implemented [12:55:16] If that's what you meant? I don't think this makes it any less sanitized than just editing site CSS [12:57:20] What you probably need to do is require the editsitecss permission for editing a page using the sanitized-css content model (and for converting a page to it) [12:57:39] site CSS is not sanitized at all so it can't be less sanitized than that [12:57:46] but yeah, that's what I meant [12:57:55] editinterface should not allow editing unsanitized css [12:58:27] I mean it could be less sanitized if TemplateStyles didn't include the check for /style outside the CSS sanitizer lmao [12:58:41] But yeah I get it [12:59:02] oh I didn't know that's a thing [12:59:04] but makes sense [13:07:35] I never really got the appeal of TemplateStyles [13:07:53] Surely thats a lot more pissing about than just putting the styles in Common/skin.css? [13:11:46] [1/2] Hallo. I haven't written here for a while 🙂 [13:11:46] [2/2] I have a question about the message `anagewiki-review-toggled` : "$1 ($2)/strong was $3/em". It has no qqq, so I don't know what $1, $2, and $3 are. Can anyone please clarify? [13:13:45] With TemplateStyles, any user can edit the styles [13:13:49] That's the main advantage [13:16:53] [1/3] Seems like `$1` is the name of the setting, `$2` the category of the setting, and `$3` is the state, e.g. enabled or disabled [13:16:53] [2/3] https://cdn.discordapp.com/attachments/1006789349498699827/1409164561214607553/image.png?ex=68ac6244&is=68ab10c4&hm=3b0e7d1264dab457d8c947cb454465f2b0c99a70d63dcb0640c2170dd9fc269d& [13:16:53] [3/3] https://cdn.discordapp.com/attachments/1006789349498699827/1409164561587634409/image.png?ex=68ac6244&is=68ab10c4&hm=6b17b75745e1e3002da93ee682d16aea13a643922978c640025e6db2c24675c9& [13:17:03] https://cdn.discordapp.com/attachments/1006789349498699827/1409164607058350191/image.png?ex=68ac624f&is=68ab10cf&hm=975cb5a85daf1b65edc39cfd804abe459cd467d4a0c591895be09f066ec20db9& [13:17:26] [13:19:29] That message probably needs to be marked notranslate? Since $1 will always need to be english, $2 is miraheze specific, and $3 is already another message [13:19:59] It contains "was" in the English version so it needs to be translated [13:20:11] Oh [13:20:15] `"managewiki-review-toggled": "$1 ($2)/strong was $3/em",` [13:20:19] And which message is "$3"? [13:20:34] 'managewiki-review-enabled' or 'managewiki-review-disabled' [13:21:45] Thanks! I've updated the qqq. [21:09:21] My goal here was to just separate template styles into separate pages and load them only when the templates are on the page [21:09:50] Which you can do with Gadgets technically but it's a bit messy and I don't like it [22:13:11] i am gonna have a minor crashout [22:13:24] yw [22:13:29] [1/2] I FUCKING HATE FLOW WHY ARE YOU THERE GET OUT OF THERE [22:13:29] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1409299602649120830/image.png?ex=68ace008&is=68ab8e88&hm=4f5110ae354196dc45dd44f9d71af1b7de70b7cc8cf809390d6db1cdceb81e71& [22:13:45] dammit i didn't cause your crashout [22:13:56] nah that's still ongoing [22:14:01] ah [22:15:51] also to be clear, not by you, but the circumstances you are in [22:16:07] i like being an agent of chaos and flabbergasting people sometimes [22:16:24] [1/2] https://meta.miraheze.org/wiki/Help_desk#Log_out_problem [22:16:24] [2/2] Can someone help this poor guy out? [22:16:59] centralauth is a poor, sadistic creature... [22:17:31] i can uninstall that while im installing searchdigest [22:34:01] why does globaluserpage keep spiking in jobs [22:35:32] gup! [22:46:27] Would this matter for wikis that don't change user permissions? By default, anyone with `editinterface` can also edit sitewide js. [22:48:30] No, only for those where the two perms are separate, like it is the case on WMF wikis [22:48:42] This is also why i18n XSSs are in general low severity vulnerabilities [22:54:51] sysop and interface-admin are separate by default [22:55:27] Not in my case though [23:01:29] oh wait, the entire time I thought sysop didn't have editinterface by default [23:01:31] but it does [23:01:32] oops