X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=dd4a3146a0f2646d1dbc2c96746985f379853528;hb=aa618786ca255694aeabde5767232a6cba5ff717;hp=c4883ba289e02db9325c9072500a0cd43baf0134;hpb=b5e0337ddb857bf2f7a37aa7b7ba1b081a578e8c;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index c4883ba289..dd4a3146a0 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -782,21 +782,18 @@ class Sanitizer { # Allow any attribute beginning with "data-" # However: - # * data-ooui is reserved for ooui - # * data-mw and data-parsoid are reserved for parsoid - # * data-mw- is reserved for extensions (or core) if - # they need to communicate some data to the client and want to be - # sure that it isn't coming from an untrusted user. + # * Disallow data attributes used by MediaWiki code # * Ensure that the attribute is not namespaced by banning # colons. - if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', $attribute ) + if ( !preg_match( '/^data-[^:]*$/i', $attribute ) && !isset( $whitelist[$attribute] ) + || self::isReservedDataAttribute( $attribute ) ) { continue; } # Strip javascript "expression" from stylesheets. - # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp + # https://msdn.microsoft.com/en-us/library/ms537634.aspx if ( $attribute == 'style' ) { $value = Sanitizer::checkCss( $value ); } @@ -858,6 +855,24 @@ class Sanitizer { return $out; } + /** + * Given an attribute name, checks whether it is a reserved data attribute + * (such as data-mw-foo) which is unavailable to user-generated HTML so MediaWiki + * core and extension code can safely use it to communicate with frontend code. + * @param string $attr Attribute name. + * @return bool + */ + public static function isReservedDataAttribute( $attr ) { + // data-ooui is reserved for ooui. + // data-mw and data-parsoid are reserved for parsoid. + // data-mw- is reserved for extensions (or core) if + // they need to communicate some data to the client and want to be + // sure that it isn't coming from an untrusted user. + // We ignore the possibility of namespaces since user-generated HTML + // can't use them anymore. + return (bool)preg_match( '/^data-(ooui|mw|parsoid)/i', $attr ); + } + /** * Merge two sets of HTML attributes. Conflicting items in the second set * will override those in the first, except for 'class' attributes which @@ -891,7 +906,6 @@ class Sanitizer { * @return string normalized css */ public static function normalizeCss( $value ) { - // Decode character references like { $value = Sanitizer::decodeCharReferences( $value ); @@ -1192,7 +1206,7 @@ class Sanitizer { ]; $id = urlencode( strtr( $id, ' ', '_' ) ); - $id = str_replace( array_keys( $replace ), array_values( $replace ), $id ); + $id = strtr( $id, $replace ); if ( !preg_match( '/^[a-zA-Z]/', $id ) && !in_array( 'noninitial', $options ) ) { // Initial character must be a letter!