User: Fix loading of user_touched

[lhc/web/wiklou.git] / includes / Sanitizer.php

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index b1b5da2..d41e559 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -753,10 +753,12 @@ class Sanitizer {
                        # However:
                        # * data-ooui is reserved for ooui
                        # * data-mw and data-parsoid are reserved for parsoid
-                       # * data-mw-<ext name here> is reserved for extensions (or core) if
+                       # * data-mw-<name here> is reserved for extensions (or core) if
                        #   they need to communicate some data to the client and want to be
                        #   sure that it isn't coming from an untrusted user.
-                       if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+                       # * Ensure that the attribute is not namespaced by banning
+                       #   colons.
+                       if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', $attribute )
                                && !isset( $whitelist[$attribute] )
                        ) {
                                continue;
@@ -948,7 +950,6 @@ class Sanitizer {
                return $value;
        }
 
-
        /**
         * Pick apart some CSS and check it for forbidden or unsafe structures.
         * Returns a sanitized string. This sanitized string will have