}
$badtag = false;
- if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
# Check our stack
if ( $slash && isset( $htmlsingleonly[$t] ) ) {
$badtag = true;
list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
$badtag = false;
- if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
if ( is_callable( $processCallback ) ) {
call_user_func_array( $processCallback, array( &$params, $args ) );
}
}
# Allow any attribute beginning with "data-"
- if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+ # However:
+ # * data-ooui is reserved for ooui
+ # * data-mw and data-parsoid are reserved for parsoid
+ # * data-mw-<ext name here> is reserved for extensions (or core) if
+ # they need to communicate some data to the client and want to be
+ # sure that it isn't coming from an untrusted user.
+ if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+ && !isset( $whitelist[$attribute] )
+ ) {
continue;
}
# 10.2
'ul' => array_merge( $common, array( 'type' ) ),
- 'ol' => array_merge( $common, array( 'type', 'start' ) ),
+ 'ol' => array_merge( $common, array( 'type', 'start', 'reversed' ) ),
'li' => array_merge( $common, array( 'type', 'value' ) ),
# 10.3