PleaseStand has uploaded a new change for review.
https://gerrit.wikimedia.org/r/89384
Change subject: Put the HTML attribute whitelist closer to HTML5
......................................................................
Put the HTML attribute whitelist closer to HTML5
* Add the global attributes to <bdo> and <q> and add "cite" to <q>. This
is to make these elements actually usable: <bdo> needs a "dir" attribute
to be useful for anything, and the whole point of <q> compared to
hard-coded quotation marks is its support for the "lang" and "cite"
attributes.
* Drop the "align" attribute from <span> because it was never standards-
compliant and does not work in browsers either, unless one constructs
such unlikely things as <span align="center" style="display:block;">.
* Drop the obsolete "char" and "charoff" attributes from <tr>, <td>, <th>.
These have not been implemented in browsers anyway.
* Drop the obsolete presentational attributes "align", "valign" and "width"
from <colgroup>, <col>, <thead>, <tfoot> and <tbody>. These elements are
currently not accepted in wikitext anyway, but removing these attributes
from the whitelist ensures that they are not accidentally enabled in the
future.
* Drop the obsolete presentational attributes "noshade" and "size" from <hr>.
They have been overridden by skin-specific CSS for a long time anyway.
* Allow all global attributes on <br> and <wbr>. Not allowing "dir" and "lang"
on <br> was a restriction in HTML 4.01, presumably copied to <wbr>, that
has been lifted in HTML5. Allowing these may not be particularly useful,
but simplifies the code.
Bug: 55582
Change-Id: I1c3289ef51a449a7837af28d9906701534175896
---
M includes/Sanitizer.php
1 file changed, 13 insertions(+), 13 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/84/89384/1
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 499d821..4dbc9dd 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -1484,7 +1484,7 @@
}
$block = array_merge( $common, array( 'align' ) );
- $tablealign = array( 'align', 'char', 'charoff', 'valign' );
+ $tablealign = array( 'align', 'valign' );
$tablecell = array(
'abbr',
'axis',
@@ -1504,7 +1504,7 @@
# 7.5.4
'div' => $block,
'center' => $common, # deprecated
- 'span' => $block, # ??
+ 'span' => $common,
# 7.5.5
'h1' => $block,
@@ -1518,7 +1518,7 @@
# address
# 8.2.4
- # bdo
+ 'bdo' => $common,
# 9.2.1
'em' => $common,
@@ -1534,7 +1534,7 @@
# 9.2.2
'blockquote' => array_merge( $common, array( 'cite' ) ),
- # q
+ 'q' => array_merge( $common, array( 'cite' ) ),
# 9.2.3
'sub' => $common,
@@ -1544,10 +1544,10 @@
'p' => $block,
# 9.3.2
- 'br' => array( 'id', 'class', 'title', 'style',
'clear' ),
+ 'br' => array_merge( $common, array( 'clear' )
),
#
http://www.whatwg.org/html/text-level-semantics.html#the-wbr-element
- 'wbr' => array( 'id', 'class', 'title', 'style'
),
+ 'wbr' => $common,
# 9.3.4
'pre' => array_merge( $common, array( 'width' )
),
@@ -1574,16 +1574,16 @@
) ),
# 11.2.2
- 'caption' => array_merge( $common, array( 'align' )
),
+ 'caption' => $block,
# 11.2.3
- 'thead' => array_merge( $common, $tablealign ),
- 'tfoot' => array_merge( $common, $tablealign ),
- 'tbody' => array_merge( $common, $tablealign ),
+ 'thead' => $common,
+ 'tfoot' => $common,
+ 'tbody' => $common,
# 11.2.4
- 'colgroup' => array_merge( $common, array( 'span',
'width' ), $tablealign ),
- 'col' => array_merge( $common, array( 'span',
'width' ), $tablealign ),
+ 'colgroup' => array_merge( $common, array( 'span' ) ),
+ 'col' => array_merge( $common, array( 'span' ) ),
# 11.2.5
'tr' => array_merge( $common, array( 'bgcolor'
), $tablealign ),
@@ -1618,7 +1618,7 @@
# basefont
# 15.3
- 'hr' => array_merge( $common, array( 'noshade',
'size', 'width' ) ),
+ 'hr' => array_merge( $common, array( 'width' )
),
# HTML Ruby annotation text module, simple ruby only.
#
http://www.whatwg.org/html/text-level-semantics.html#the-ruby-element
--
To view, visit https://gerrit.wikimedia.org/r/89384
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I1c3289ef51a449a7837af28d9906701534175896
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: PleaseStand <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
