From 3062f70742827293ae029cfbe30acda73e0d510a Mon Sep 17 00:00:00 2001 From: entlinkt Date: Fri, 11 Oct 2013 22:04:49 +0200 Subject: [PATCH] Put the HTML attribute whitelist closer to HTML5 * Add the global attributes to and and add "cite" to . This is to make these elements actually usable: needs a "dir" attribute to be useful for anything, and the whole point of compared to hard-coded quotation marks is its support for the "lang" and "cite" attributes. * Drop the "align" attribute from because it was never standards- compliant and does not work in browsers either, unless one constructs such unlikely things as . * Drop the obsolete "char" and "charoff" attributes from , , . These have not been implemented in browsers anyway. * Drop the obsolete presentational attributes "align", "valign" and "width" from , , , and . These elements are currently not accepted in wikitext anyway, but removing these attributes from the whitelist ensures that they are not accidentally enabled in the future. * Drop the obsolete presentational attributes "noshade" and "size" from
. They have been overridden by skin-specific CSS for a long time anyway. * Allow all global attributes on
and . Not allowing "dir" and "lang" on
was a restriction in HTML 4.01, presumably copied to , that has been lifted in HTML5. Allowing these may not be particularly useful, but simplifies the code. Bug: 55582 Change-Id: I1c3289ef51a449a7837af28d9906701534175896 --- includes/Sanitizer.php | 26 ++++++++++++------------ tests/phpunit/includes/SanitizerTest.php | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 499d82186c..4dbc9dd9db 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -1484,7 +1484,7 @@ class Sanitizer { } $block = array_merge( $common, array( 'align' ) ); - $tablealign = array( 'align', 'char', 'charoff', 'valign' ); + $tablealign = array( 'align', 'valign' ); $tablecell = array( 'abbr', 'axis', @@ -1504,7 +1504,7 @@ class Sanitizer { # 7.5.4 'div' => $block, 'center' => $common, # deprecated - 'span' => $block, # ?? + 'span' => $common, # 7.5.5 'h1' => $block, @@ -1518,7 +1518,7 @@ class Sanitizer { # address # 8.2.4 - # bdo + 'bdo' => $common, # 9.2.1 'em' => $common, @@ -1534,7 +1534,7 @@ class Sanitizer { # 9.2.2 'blockquote' => array_merge( $common, array( 'cite' ) ), - # q + 'q' => array_merge( $common, array( 'cite' ) ), # 9.2.3 'sub' => $common, @@ -1544,10 +1544,10 @@ class Sanitizer { 'p' => $block, # 9.3.2 - 'br' => array( 'id', 'class', 'title', 'style', 'clear' ), + 'br' => array_merge( $common, array( 'clear' ) ), # http://www.whatwg.org/html/text-level-semantics.html#the-wbr-element - 'wbr' => array( 'id', 'class', 'title', 'style' ), + 'wbr' => $common, # 9.3.4 'pre' => array_merge( $common, array( 'width' ) ), @@ -1574,16 +1574,16 @@ class Sanitizer { ) ), # 11.2.2 - 'caption' => array_merge( $common, array( 'align' ) ), + 'caption' => $block, # 11.2.3 - 'thead' => array_merge( $common, $tablealign ), - 'tfoot' => array_merge( $common, $tablealign ), - 'tbody' => array_merge( $common, $tablealign ), + 'thead' => $common, + 'tfoot' => $common, + 'tbody' => $common, # 11.2.4 - 'colgroup' => array_merge( $common, array( 'span', 'width' ), $tablealign ), - 'col' => array_merge( $common, array( 'span', 'width' ), $tablealign ), + 'colgroup' => array_merge( $common, array( 'span' ) ), + 'col' => array_merge( $common, array( 'span' ) ), # 11.2.5 'tr' => array_merge( $common, array( 'bgcolor' ), $tablealign ), @@ -1618,7 +1618,7 @@ class Sanitizer { # basefont # 15.3 - 'hr' => array_merge( $common, array( 'noshade', 'size', 'width' ) ), + 'hr' => array_merge( $common, array( 'width' ) ), # HTML Ruby annotation text module, simple ruby only. # http://www.whatwg.org/html/text-level-semantics.html#the-ruby-element diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php index 38c15eef07..c8c624e218 100644 --- a/tests/phpunit/includes/SanitizerTest.php +++ b/tests/phpunit/includes/SanitizerTest.php @@ -209,7 +209,7 @@ class SanitizerTest extends MediaWikiTestCase { array( 'align="left"', 'tr' ), array( 'align="center"', 'div' ), array( 'align="left"', 'h1' ), - array( 'align="left"', 'span' ), + array( 'align="left"', 'p' ), ); } -- 2.20.1