only allow xmlns:* if RDFa is enabled

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 1277dce..d273d38 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -614,13 +614,15 @@ class Sanitizer {
         * @todo Check for unique id attribute :P
         */
        static function validateAttributes( $attribs, $whitelist ) {
+               global $wgAllowRdfaAttributes;
+
                $whitelist = array_flip( $whitelist );
                $hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
 
                $out = array();
                foreach( $attribs as $attribute => $value ) {
-                       #allow XML namespace declaration. Useful especially with RDFa
-                       if ( preg_match( MW_XMLNS_ATTRIBUTE_PATTRN, $attribute ) ) {
+                       #allow XML namespace declaration if RDFa is enabled
+                       if ( $wgAllowRdfaAttributes && preg_match( MW_XMLNS_ATTRIBUTE_PATTRN, $attribute ) ) {
                                if ( !preg_match( MW_EVIL_URI_PATTERN, $value ) ) {
                                        $out[$attribute] = $value;
                                }