From 4e7483ffd31dd05c11b16bf37552c25ed648bd0a Mon Sep 17 00:00:00 2001
From: Arlo Breault <abreault@wikimedia.org>
Date: Fri, 21 Apr 2017 09:24:58 -0400
Subject: [PATCH] Match Parsoid's attribute sanitization for video elements

 * Maybe the extension content from TimedMediaHandler isn't being
   sanitized, but regardless, it's probably best to keep these two
   implementations in sync.

Bug: T163583
Depends-On: I53c6fa8d862c152bb1c8dd3ae96f4ee464a60d32
Change-Id: I6fc4895c319419261bd56791ebdf934596453399
---
 includes/Sanitizer.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index e9519c3c23..c4883ba289 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -835,7 +835,7 @@ class Sanitizer {
 
 			# NOTE: even though elements using href/src are not allowed directly, supply
 			#       validation code that can be used by tag hook handlers, etc
-			if ( $attribute === 'href' || $attribute === 'src' ) {
+			if ( $attribute === 'href' || $attribute === 'src' || $attribute === 'poster' ) {
 				if ( !preg_match( $hrefExp, $value ) ) {
 					continue; // drop any href or src attributes not using an allowed protocol.
 					// NOTE: this also drops all relative URLs
@@ -1760,6 +1760,10 @@ class Sanitizer {
 			# true
 			'img'        => array_merge( $common, [ 'alt', 'src', 'width', 'height' ] ),
 
+			'video'      => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ),
+			'source'     => array_merge( $common, [ 'type', 'src' ] ),
+			'track'      => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ),
+
 			# 15.2.1
 			'tt'         => $common,
 			'b'          => $common,
-- 
2.20.1