X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=5aaa3ed10660fae19645810df22aadb69d43db21;hb=016452cd09f4b32100f4fa3740168c5fc161d496;hp=5f6abee48535dd533f3d84f4b32c90825f714fc5;hpb=980c688c2b9833fd83c3f4a7f5bf75031a071c74;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 5f6abee485..5aaa3ed106 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -782,15 +782,12 @@ class Sanitizer { # Allow any attribute beginning with "data-" # However: - # * data-ooui is reserved for ooui - # * data-mw and data-parsoid are reserved for parsoid - # * data-mw- is reserved for extensions (or core) if - # they need to communicate some data to the client and want to be - # sure that it isn't coming from an untrusted user. + # * Disallow data attributes used by MediaWiki code # * Ensure that the attribute is not namespaced by banning # colons. - if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', $attribute ) + if ( !preg_match( '/^data-[^:]*$/i', $attribute ) && !isset( $whitelist[$attribute] ) + || self::isReservedDataAttribute( $attribute ) ) { continue; } @@ -835,7 +832,7 @@ class Sanitizer { # NOTE: even though elements using href/src are not allowed directly, supply # validation code that can be used by tag hook handlers, etc - if ( $attribute === 'href' || $attribute === 'src' ) { + if ( $attribute === 'href' || $attribute === 'src' || $attribute === 'poster' ) { if ( !preg_match( $hrefExp, $value ) ) { continue; // drop any href or src attributes not using an allowed protocol. // NOTE: this also drops all relative URLs @@ -858,6 +855,24 @@ class Sanitizer { return $out; } + /** + * Given an attribute name, checks whether it is a reserved data attribute + * (such as data-mw-foo) which is unavailable to user-generated HTML so MediaWiki + * core and extension code can safely use it to communicate with frontend code. + * @param string $attr Attribute name. + * @return bool + */ + public static function isReservedDataAttribute( $attr ) { + // data-ooui is reserved for ooui. + // data-mw and data-parsoid are reserved for parsoid. + // data-mw- is reserved for extensions (or core) if + // they need to communicate some data to the client and want to be + // sure that it isn't coming from an untrusted user. + // We ignore the possibility of namespaces since user-generated HTML + // can't use them anymore. + return (bool)preg_match( '/^data-(ooui|mw|parsoid)/i', $attr ); + } + /** * Merge two sets of HTML attributes. Conflicting items in the second set * will override those in the first, except for 'class' attributes which @@ -1760,6 +1775,10 @@ class Sanitizer { # true 'img' => array_merge( $common, [ 'alt', 'src', 'width', 'height' ] ), + 'video' => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ), + 'source' => array_merge( $common, [ 'type', 'src' ] ), + 'track' => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ), + # 15.2.1 'tt' => $common, 'b' => $common, @@ -1784,7 +1803,7 @@ class Sanitizer { 'rb' => $common, 'rp' => $common, 'rt' => $common, # array_merge( $common, array( 'rbspan' ) ), - 'rtc' => $common, + 'rtc' => $common, # MathML root element, where used for extensions # 'title' may not be 100% valid here; it's XHTML