From: C. Scott Ananian <cscott@cscott.net>
Date: Tue, 22 Dec 2015 23:24:33 +0000 (-0500)
Subject: Don't allow atttributes whose namespace starts with `data-`.
X-Git-Tag: 1.31.0-rc.0~8573^2
X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=1888bf5601af86eb68d7840da3d12c08839dc01f

Don't allow atttributes whose namespace starts with `data-`.

Change-Id: Ia76c74941b09e3ad131fe2fee31ffec3e540170b
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 4fc775ff4c..5242856434 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -756,7 +756,9 @@ class Sanitizer {
 			# * data-mw-<name here> is reserved for extensions (or core) if
 			#   they need to communicate some data to the client and want to be
 			#   sure that it isn't coming from an untrusted user.
-			if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+			# * Ensure that the attribute is not namespaced by banning
+			#   colons.
+			if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', $attribute )
 				&& !isset( $whitelist[$attribute] )
 			) {
 				continue;
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index a0e0b3a220..0ed8270e50 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -20544,7 +20544,7 @@ HTML5 data attributes
 !! test
 Strip reserved data attributes
 !! wikitext
-<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy" data-bad:ns="ns">d</div>
 !! html
 <div data-ok="fred">d</div>