SECURITY: Do not allow data-ooui attributes in wikitext

We now automatically infuse any element with a data-ooui attribute, so
allowing them in wikitext allows rendering any arbitrary OOUI widget,
some of which (ButtonWidget) are unsafe and can lead to XSS.

By blacklisting data-ooui, widgets cannot be created in wikitext.
T101666 will enable a safe-subset of them.

Bug: T105413
Change-Id: I3f63594a41e9cac3219791e181a2f93818178263

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 2340cd9..ddaf1b2 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -753,7 +753,7 @@ class Sanitizer {
                        }
 
                        # Allow any attribute beginning with "data-"
-                       if ( !preg_match( '/^data-/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+                       if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
                                continue;
                        }