reverting r58694, needs to be done as parser tag hook in order to register as externa...

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index ab521e8..0cb5b0b 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -353,7 +353,7 @@ class Sanitizer {
                if ( !$staticInitialised ) {
 
                        $htmlpairsStatic = array( # Tags that must be closed
-                               'a', 'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
+                               'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
                                'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
                                'strike', 'strong', 'tt', 'var', 'div', 'center',
                                'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
@@ -605,8 +605,6 @@ class Sanitizer {
         */
        static function validateAttributes( $attribs, $whitelist ) {
                $whitelist = array_flip( $whitelist );
-               $hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
-
                $out = array();
                foreach( $attribs as $attribute => $value ) {
                        if( !isset( $whitelist[$attribute] ) ) {
@@ -628,23 +626,6 @@ class Sanitizer {
                                        $wgEnforceHtmlIds ? 'noninitial' : 'xml' );
                        }
 
-                       if ( $attribute === 'href' || $attribute === 'src' ) {
-                               if ( !preg_match( $hrefExp, $value ) ) {
-                                       continue; //drop any href or src attributes not using an allowed protocol.
-                                                 //NOTE: this also drops all relative URLs
-                               }
-                       }
-
-                       //RDFa properties allow URIs. check them
-                       if ( $attribute === 'rel' || $attribute === 'rev' || 
-                               $attribute === 'about' || $attribute === 'property' || $attribute === 'resource' ||
-                               $attribute === 'datatype' || $attribute === 'typeof' ) {  
-                               //Paranoia. Allow "simple" values but suppress javascript
-                               if ( preg_match( '/(^|\s)javascript\s*:/i', $value ) ) {
-                                       continue; 
-                               }
-                       }
-
                        // If this attribute was previously set, override it.
                        // Output should only have one attribute of each name.
                        $out[$attribute] = $value;
@@ -1173,11 +1154,7 @@ class Sanitizer {
         * @return Array
         */
        static function setupAttributeWhitelist() {
-               $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style',
-                                #RDFa attributes as specified in section 9 of http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
-                                'about', 'property', 'resource', 'datatype', 'typeof', 
-                               );
-
+               $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
                $block = array_merge( $common, array( 'align' ) );
                $tablealign = array( 'align', 'char', 'charoff', 'valign' );
                $tablecell = array( 'abbr',
@@ -1283,9 +1260,6 @@ class Sanitizer {
                        'td'         => array_merge( $common, $tablecell, $tablealign ),
                        'th'         => array_merge( $common, $tablecell, $tablealign ),
 
-                       # 12.2
-                       'a'          => array_merge( $common, array( 'href', 'rel', 'rev' ) ), # rel/rev esp. for RDFa 
-
                        # 13.2
                        # Not usually allowed, but may be used for extension-style hooks
                        # such as <math> when it is rasterized