X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=8920e92f4362390e519300f23bd3ec26faff3cbb;hb=f44275ec1f2d243563b60041b7a29052f60bda24;hp=e9519c3c23a4d05b2ef250a40dc41867ad8f30c1;hpb=464f0c72a5c97e741a7fd36998426f7efa5f9090;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index e9519c3c23..8920e92f43 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -782,15 +782,12 @@ class Sanitizer { # Allow any attribute beginning with "data-" # However: - # * data-ooui is reserved for ooui - # * data-mw and data-parsoid are reserved for parsoid - # * data-mw- is reserved for extensions (or core) if - # they need to communicate some data to the client and want to be - # sure that it isn't coming from an untrusted user. + # * Disallow data attributes used by MediaWiki code # * Ensure that the attribute is not namespaced by banning # colons. - if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', $attribute ) + if ( !preg_match( '/^data-[^:]*$/i', $attribute ) && !isset( $whitelist[$attribute] ) + || self::isReservedDataAttribute( $attribute ) ) { continue; } @@ -835,7 +832,7 @@ class Sanitizer { # NOTE: even though elements using href/src are not allowed directly, supply # validation code that can be used by tag hook handlers, etc - if ( $attribute === 'href' || $attribute === 'src' ) { + if ( $attribute === 'href' || $attribute === 'src' || $attribute === 'poster' ) { if ( !preg_match( $hrefExp, $value ) ) { continue; // drop any href or src attributes not using an allowed protocol. // NOTE: this also drops all relative URLs @@ -858,6 +855,24 @@ class Sanitizer { return $out; } + /** + * Given an attribute name, checks whether it is a reserved data attribute + * (such as data-mw-foo) which is unavailable to user-generated HTML so MediaWiki + * core and extension code can safely use it to communicate with frontend code. + * @param string $attr Attribute name. + * @return bool + */ + public static function isReservedDataAttribute( $attr ) { + // data-ooui is reserved for ooui. + // data-mw and data-parsoid are reserved for parsoid. + // data-mw- is reserved for extensions (or core) if + // they need to communicate some data to the client and want to be + // sure that it isn't coming from an untrusted user. + // We ignore the possibility of namespaces since user-generated HTML + // can't use them anymore. + return (bool)preg_match( '/^data-(ooui|mw|parsoid)/i', $attr ); + } + /** * Merge two sets of HTML attributes. Conflicting items in the second set * will override those in the first, except for 'class' attributes which @@ -1192,7 +1207,7 @@ class Sanitizer { ]; $id = urlencode( strtr( $id, ' ', '_' ) ); - $id = str_replace( array_keys( $replace ), array_values( $replace ), $id ); + $id = strtr( $id, $replace ); if ( !preg_match( '/^[a-zA-Z]/', $id ) && !in_array( 'noninitial', $options ) ) { // Initial character must be a letter! @@ -1760,6 +1775,10 @@ class Sanitizer { # true 'img' => array_merge( $common, [ 'alt', 'src', 'width', 'height' ] ), + 'video' => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ), + 'source' => array_merge( $common, [ 'type', 'src' ] ), + 'track' => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ), + # 15.2.1 'tt' => $common, 'b' => $common,