X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=b1b5da2d599c51daba3058b1528a14740f659989;hb=9ab6887c8c93014a17afd6ab81f6bac3bf5effd6;hp=f88dd057e7fbe81d7acf0645f2bf7d5c11a297b6;hpb=af4d3cd4a0864e33d3ba0791853742e2a487d16d;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index f88dd057e7..b1b5da2d59 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -476,7 +476,8 @@ class Sanitizer { } $badtag = false; - if ( isset( $htmlelements[$t = strtolower( $t )] ) ) { + $t = strtolower( $t ); + if ( isset( $htmlelements[$t] ) ) { # Check our stack if ( $slash && isset( $htmlsingleonly[$t] ) ) { $badtag = true; @@ -596,7 +597,8 @@ class Sanitizer { list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs; $badtag = false; - if ( isset( $htmlelements[$t = strtolower( $t )] ) ) { + $t = strtolower( $t ); + if ( isset( $htmlelements[$t] ) ) { if ( is_callable( $processCallback ) ) { call_user_func_array( $processCallback, array( &$params, $args ) ); } @@ -748,7 +750,15 @@ class Sanitizer { } # Allow any attribute beginning with "data-" - if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) { + # However: + # * data-ooui is reserved for ooui + # * data-mw and data-parsoid are reserved for parsoid + # * data-mw- is reserved for extensions (or core) if + # they need to communicate some data to the client and want to be + # sure that it isn't coming from an untrusted user. + if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute ) + && !isset( $whitelist[$attribute] ) + ) { continue; } @@ -1629,7 +1639,7 @@ class Sanitizer { # 10.2 'ul' => array_merge( $common, array( 'type' ) ), - 'ol' => array_merge( $common, array( 'type', 'start' ) ), + 'ol' => array_merge( $common, array( 'type', 'start', 'reversed' ) ), 'li' => array_merge( $common, array( 'type', 'value' ) ), # 10.3