Fix misleading comment about svg filtering.

Follow-up 551d79a3e6754. See also Bug T122653.

Change-Id: I0662dc6618596bb3a3bad345de45b054b6f7f968

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index ba5171f..5ec49ba 100644 (file)
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1416,7 +1416,10 @@ abstract class UploadBase {
                                return [ 'uploaded-event-handler-on-svg', $attrib, $value ];
                        }
 
-                       # href with non-local target (don't allow http://, javascript:, etc)
+                       # Do not allow relative links, or unsafe url schemas.
+                       # For <a> tags, only data:, http: and https: and same-document
+                       # fragment links are allowed. For all other tags, only data:
+                       # and fragment are allowed.
                        if ( $stripped == 'href'
                                && strpos( $value, 'data:' ) !== 0
                                && strpos( $value, '#' ) !== 0