[MediaWiki-commits] [Gerrit] Match permitted attributes to php's getAttribsRegex - change (mediawiki...parsoid)

Tue, 22 Dec 2015 16:53:56 -0800 

Arlolra has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/260703

Change subject: Match permitted attributes to php's getAttribsRegex
......................................................................

Match permitted attributes to php's getAttribsRegex

 * Also, don't allow atttributes whose namespace starts with `data-`
   as in Ia76c74941b09e3ad131fe2fee31ffec3e540170b.

Change-Id: I0f67f4f809c0f2ac0dd9476013dfa7a0021d44d5
---
M lib/wt2html/tt/Sanitizer.js
1 file changed, 8 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/services/parsoid 
refs/changes/03/260703/1

diff --git a/lib/wt2html/tt/Sanitizer.js b/lib/wt2html/tt/Sanitizer.js
index 792fed5..ee3a393 100644
--- a/lib/wt2html/tt/Sanitizer.js
+++ b/lib/wt2html/tt/Sanitizer.js
@@ -677,9 +677,6 @@
                return { token: token };
        }
 
-       // XXX: validate token type according to whitelist and convert non-ok 
ones
-       // back to text.
-
        var i, l, k, v, kv;
        var attribs = token.attribs;
        var noEndTagSet = this.constants.noEndTagSet;
@@ -988,6 +985,13 @@
                // may be aggressive. There is no need to escape typeof strings
                // that or about ids that don't resemble Parsoid types/about 
ids.
                if (!psdAttr) {
+                       // php's `getAttribsRegex` only permits attribute keys 
matching
+                       // these classes.
+                       if (!/^[:A-Z_a-z0-9][:A-Z_a-z-.0-9]*$/.test(k)) {
+                               newAttrs[k] = [null, origV, origK];
+                               continue;
+                       }
+
                        // If RDFa is enabled, don't block XML namespace 
declaration
                        if (allowRdfa && k.match(xmlnsRE)) {
                                if (!v.match(evilUriRE)) {
@@ -1000,7 +1004,7 @@
 
                        // If in HTML5 mode, don't block data-* attributes
                        // (But always block data-ooui attributes for security: 
T105413)
-                       if (!(html5Mode && k.match(/^data-(?!ooui)/i)) && 
!wlist.has(k)) {
+                       if (!(html5Mode && k.match(/^data-(?!ooui)[^:]*$/i)) && 
!wlist.has(k)) {
                                newAttrs[k] = [null, origV, origK];
                                continue;
                        }

-- 
To view, visit https://gerrit.wikimedia.org/r/260703
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0f67f4f809c0f2ac0dd9476013dfa7a0021d44d5
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/services/parsoid
Gerrit-Branch: master
Gerrit-Owner: Arlolra <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to