Don't trigger 'wikipage.diff' hook for content that looks like a diff

Follows-up 9cfb9cb9fba, and b62f0e91564.

Add data-mw="interface" to elements created by the interface
(e.g. not user-generated content) and use this to narrow down
scope of elements eligible for JavaScript binding.

This avoids bugs where e.g. the diff hook triggers on a wiki page about diffs.
This isn't a security issue per-se, but causing odd behaviour.

Also add missing tests for data-ooui filtering (follows-up aa9a52da).

Change-Id: I9a0c86c92d411538bd9e203ec6ae54616fdf49b8

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index b1b5da2..4fc775f 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -753,7 +753,7 @@ class Sanitizer {
                        # However:
                        # * data-ooui is reserved for ooui
                        # * data-mw and data-parsoid are reserved for parsoid
-                       # * data-mw-<ext name here> is reserved for extensions (or core) if
+                       # * data-mw-<name here> is reserved for extensions (or core) if
                        #   they need to communicate some data to the client and want to be
                        #   sure that it isn't coming from an untrusted user.
                        if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )

diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php
index 93f0f6c..781b6a6 100644 (file)
--- a/includes/diff/DifferenceEngine.php
+++ b/includes/diff/DifferenceEngine.php
@@ -1068,8 +1068,10 @@ class DifferenceEngine extends ContextSource {
        public function addHeader( $diff, $otitle, $ntitle, $multi = '', $notice = '' ) {
                // shared.css sets diff in interface language/dir, but the actual content
                // is often in a different language, mostly the page content language/dir
-               $tableClass = 'diff diff-contentalign-' . htmlspecialchars( $this->getDiffLang()->alignStart() );
-               $header = "<table class='$tableClass'>";
+               $header = Html::openElement( 'table', array(
+                       'class' => array( 'diff', 'diff-contentalign-' . $this->getDiffLang()->alignStart() ),
+                       'data-mw' => 'interface',
+               ) );
                $userLang = htmlspecialchars( $this->getLanguage()->getHtmlCode() );
 
                if ( !$diff && !$otitle ) {

diff --git a/resources/src/mediawiki/page/startup.js b/resources/src/mediawiki/page/startup.js
index f2509e2..76bc36b 100644 (file)
--- a/resources/src/mediawiki/page/startup.js
+++ b/resources/src/mediawiki/page/startup.js
@@ -28,7 +28,7 @@
                 */
                mw.hook( 'wikipage.content' ).fire( $( '#mw-content-text' ) );
 
-               var $diff = $( 'table.diff' );
+               var $diff = $( 'table.diff[data-mw="interface"]' );
                if ( $diff.length ) {
                        /**
                         * Fired when the diff is added to a page containing a diff

diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index c456fcb..a0e0b3a 100644 (file)
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -20541,6 +20541,15 @@ HTML5 data attributes
 
 !! end
 
+!! test
+Strip reserved data attributes
+!! wikitext
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
+!! html
+<div data-ok="fred">d</div>
+
+!! end
+
 !! test
 percent-encoding and + signs in internal links (Bug 26410)
 !! wikitext
@@ -26339,12 +26348,3 @@ Empty LI (T49673)
 <li>b</li>
 </ul>
 !! end
-
-!! test
-reserved data attributes stripped
-!! wikitext
-<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
-!! html
-<div data-ok="fred">d</div>
-
-!! end