Cscott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/260690
Change subject: Don't allow atttributes whose namespace starts with `data-`.
......................................................................
Don't allow atttributes whose namespace starts with `data-`.
Change-Id: Ia76c74941b09e3ad131fe2fee31ffec3e540170b
---
M includes/Sanitizer.php
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/90/260690/1
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index a856f1e..0c2430b 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -750,7 +750,7 @@
}
# Allow any attribute beginning with "data-"
- if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) &&
!isset( $whitelist[$attribute] ) ) {
+ if ( !preg_match( '/^data-(?!ooui)[^:]*$/i', $attribute
) && !isset( $whitelist[$attribute] ) ) {
continue;
}
--
To view, visit https://gerrit.wikimedia.org/r/260690
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia76c74941b09e3ad131fe2fee31ffec3e540170b
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Cscott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
