jenkins-bot has submitted this change and it was merged. Change subject: Reserve data-mw and data-parsoid attribute prefix for trusted values ......................................................................
Reserve data-mw and data-parsoid attribute prefix for trusted values Don't let users set attributes starting with data-mw or data-parsoid. The main idea is to allow MediaWiki to use data-mw-<something> attributes for trusted input to client side scripts. There have been a couple security vulnerabilities in the past based on users being able to manipulate a data attribute, which client side was assuming was trusted. Also include data-mw and data-parsoid as both are used by Parsoid currently. See https://lists.wikimedia.org/pipermail/wikitech-l/2015-November/083811.html A corresponding change will also have to be made in Parsoid. Change-Id: I06585380bde3bc57b17ad76740c5acc2056d7c44 --- M includes/Sanitizer.php M tests/parser/parserTests.txt 2 files changed, 18 insertions(+), 1 deletion(-) Approvals: CSteipp: Looks good to me, but someone else must approve Subramanya Sastry: Looks good to me, but someone else must approve Legoktm: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index a856f1e..5443e68 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -750,7 +750,15 @@ } # Allow any attribute beginning with "data-" - if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) { + # However: + # * data-ooui is reserved for ooui + # * data-mw and data-parsoid are reserved for parsoid + # * data-mw-<ext name here> is reserved for extensions (or core) if + # they need to communicate some data to the client and want to be + # sure that it isn't coming from an untrusted user. + if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute ) + && !isset( $whitelist[$attribute] ) + ) { continue; } diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index 58860e9..c456fcb 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -26339,3 +26339,12 @@ <li>b</li> </ul> !! end + +!! test +reserved data attributes stripped +!! wikitext +<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div> +!! html +<div data-ok="fred">d</div> + +!! end -- To view, visit https://gerrit.wikimedia.org/r/252892 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I06585380bde3bc57b17ad76740c5acc2056d7c44 Gerrit-PatchSet: 3 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Brian Wolff <[email protected]> Gerrit-Reviewer: Brian Wolff <[email protected]> Gerrit-Reviewer: CSteipp <[email protected]> Gerrit-Reviewer: Cscott <[email protected]> Gerrit-Reviewer: Jackmcbarn <[email protected]> Gerrit-Reviewer: Legoktm <[email protected]> Gerrit-Reviewer: Subramanya Sastry <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
