jenkins-bot has submitted this change and it was merged.
Change subject: Match permitted attributes to php's getAttribsRegex
......................................................................
Match permitted attributes to php's getAttribsRegex
* Also, don't allow atttributes whose namespace starts with `data-`
as in Ia76c74941b09e3ad131fe2fee31ffec3e540170b.
Change-Id: I0f67f4f809c0f2ac0dd9476013dfa7a0021d44d5
---
M lib/wt2html/tt/Sanitizer.js
M tests/parserTests.txt
2 files changed, 10 insertions(+), 4 deletions(-)
Approvals:
Subramanya Sastry: Looks good to me, approved
jenkins-bot: Verified
diff --git a/lib/wt2html/tt/Sanitizer.js b/lib/wt2html/tt/Sanitizer.js
index 792fed5..ee3a393 100644
--- a/lib/wt2html/tt/Sanitizer.js
+++ b/lib/wt2html/tt/Sanitizer.js
@@ -677,9 +677,6 @@
return { token: token };
}
- // XXX: validate token type according to whitelist and convert non-ok
ones
- // back to text.
-
var i, l, k, v, kv;
var attribs = token.attribs;
var noEndTagSet = this.constants.noEndTagSet;
@@ -988,6 +985,13 @@
// may be aggressive. There is no need to escape typeof strings
// that or about ids that don't resemble Parsoid types/about
ids.
if (!psdAttr) {
+ // php's `getAttribsRegex` only permits attribute keys
matching
+ // these classes.
+ if (!/^[:A-Z_a-z0-9][:A-Z_a-z-.0-9]*$/.test(k)) {
+ newAttrs[k] = [null, origV, origK];
+ continue;
+ }
+
// If RDFa is enabled, don't block XML namespace
declaration
if (allowRdfa && k.match(xmlnsRE)) {
if (!v.match(evilUriRE)) {
@@ -1000,7 +1004,7 @@
// If in HTML5 mode, don't block data-* attributes
// (But always block data-ooui attributes for security:
T105413)
- if (!(html5Mode && k.match(/^data-(?!ooui)/i)) &&
!wlist.has(k)) {
+ if (!(html5Mode && k.match(/^data-(?!ooui)[^:]*$/i)) &&
!wlist.has(k)) {
newAttrs[k] = [null, origV, origK];
continue;
}
diff --git a/tests/parserTests.txt b/tests/parserTests.txt
index bac4de5..64f9880 100644
--- a/tests/parserTests.txt
+++ b/tests/parserTests.txt
@@ -20688,6 +20688,8 @@
!! html/php
<div data-ok="fred">d</div>
+!! html/parsoid
+<div data-x-data-mw="foo" data-x-data-parsoid="bar"
data-x-data-mw-someext="baz" data-ok="fred"
data-parsoid='{"stx":"html","a":{"data-ooui":null,"data-bad:ns":null},"sa":{"data-ooui":"xyzzy","data-bad:ns":"ns"}}'>d</div>
!! end
!! test
--
To view, visit https://gerrit.wikimedia.org/r/260703
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0f67f4f809c0f2ac0dd9476013dfa7a0021d44d5
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/services/parsoid
Gerrit-Branch: master
Gerrit-Owner: Arlolra <[email protected]>
Gerrit-Reviewer: Arlolra <[email protected]>
Gerrit-Reviewer: Cscott <[email protected]>
Gerrit-Reviewer: Subramanya Sastry <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
