[MediaWiki-commits] [Gerrit] Don't allow atttributes whose namespace starts with `data-`. - change (mediawiki/core)

Tue, 22 Dec 2015 17:39:47 -0800 

jenkins-bot has submitted this change and it was merged.

Change subject: Don't allow atttributes whose namespace starts with `data-`.
......................................................................


Don't allow atttributes whose namespace starts with `data-`.

Change-Id: Ia76c74941b09e3ad131fe2fee31ffec3e540170b
---
M includes/Sanitizer.php
M tests/parser/parserTests.txt
2 files changed, 4 insertions(+), 2 deletions(-)

Approvals:
  Arlolra: Looks good to me, approved
  CSteipp: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 4fc775f..5242856 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -756,7 +756,9 @@
                        # * data-mw-<name here> is reserved for extensions (or 
core) if
                        #   they need to communicate some data to the client 
and want to be
                        #   sure that it isn't coming from an untrusted user.
-                       if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', 
$attribute )
+                       # * Ensure that the attribute is not namespaced by 
banning
+                       #   colons.
+                       if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', 
$attribute )
                                && !isset( $whitelist[$attribute] )
                        ) {
                                continue;
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index a0e0b3a..0ed8270 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -20544,7 +20544,7 @@
 !! test
 Strip reserved data attributes
 !! wikitext
-<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" 
data-ooui="xyzzy">d</div>
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" 
data-ooui="xyzzy" data-bad:ns="ns">d</div>
 !! html
 <div data-ok="fred">d</div>
 

-- 
To view, visit https://gerrit.wikimedia.org/r/260690
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ia76c74941b09e3ad131fe2fee31ffec3e540170b
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Cscott <[email protected]>
Gerrit-Reviewer: Arlolra <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Cscott <[email protected]>
Gerrit-Reviewer: Jackmcbarn <[email protected]>
Gerrit-Reviewer: Subramanya Sastry <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to