From: Daniel Kinzler <daniel@users.mediawiki.org>
Date: Fri, 13 Nov 2009 21:57:13 +0000 (+0000)
Subject: only allow xmlns:* if RDFa is enabled
X-Git-Tag: 1.31.0-rc.0~38819
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22upgrade%22%2C%22reinstall=non%22%29%20.%20%22?a=commitdiff_plain;h=f3f510bfe6ee643eafd13b487dd21d3e02ef98e1;p=lhc%2Fweb%2Fwiklou.git

only allow xmlns:* if RDFa is enabled
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 1277dce669..d273d3816d 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -614,13 +614,15 @@ class Sanitizer {
 	 * @todo Check for unique id attribute :P
 	 */
 	static function validateAttributes( $attribs, $whitelist ) {
+		global $wgAllowRdfaAttributes;
+
 		$whitelist = array_flip( $whitelist );
 		$hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
 
 		$out = array();
 		foreach( $attribs as $attribute => $value ) {
-			#allow XML namespace declaration. Useful especially with RDFa
-			if ( preg_match( MW_XMLNS_ATTRIBUTE_PATTRN, $attribute ) ) {
+			#allow XML namespace declaration if RDFa is enabled
+			if ( $wgAllowRdfaAttributes && preg_match( MW_XMLNS_ATTRIBUTE_PATTRN, $attribute ) ) {
 				if ( !preg_match( MW_EVIL_URI_PATTERN, $value ) ) {
 					$out[$attribute] = $value;
 				}