Match Parsoid's attribute sanitization for video elements

 * Maybe the extension content from TimedMediaHandler isn't being
   sanitized, but regardless, it's probably best to keep these two
   implementations in sync.

Bug: T163583
Depends-On: I53c6fa8d862c152bb1c8dd3ae96f4ee464a60d32
Change-Id: I6fc4895c319419261bd56791ebdf934596453399

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index e9519c3..c4883ba 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -835,7 +835,7 @@ class Sanitizer {
 
                        # NOTE: even though elements using href/src are not allowed directly, supply
                        #       validation code that can be used by tag hook handlers, etc
-                       if ( $attribute === 'href' || $attribute === 'src' ) {
+                       if ( $attribute === 'href' || $attribute === 'src' || $attribute === 'poster' ) {
                                if ( !preg_match( $hrefExp, $value ) ) {
                                        continue; // drop any href or src attributes not using an allowed protocol.
                                        // NOTE: this also drops all relative URLs
@@ -1760,6 +1760,10 @@ class Sanitizer {
                        # true
                        'img'        => array_merge( $common, [ 'alt', 'src', 'width', 'height' ] ),
 
+                       'video'      => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ),
+                       'source'     => array_merge( $common, [ 'type', 'src' ] ),
+                       'track'      => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ),
+
                        # 15.2.1
                        'tt'         => $common,
                        'b'          => $common,