From f3f510bfe6ee643eafd13b487dd21d3e02ef98e1 Mon Sep 17 00:00:00 2001
From: Daniel Kinzler <daniel@users.mediawiki.org>
Date: Fri, 13 Nov 2009 21:57:13 +0000
Subject: [PATCH] only allow xmlns:* if RDFa is enabled

---
 includes/Sanitizer.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 1277dce669..d273d3816d 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -614,13 +614,15 @@ class Sanitizer {
 	 * @todo Check for unique id attribute :P
 	 */
 	static function validateAttributes( $attribs, $whitelist ) {
+		global $wgAllowRdfaAttributes;
+
 		$whitelist = array_flip( $whitelist );
 		$hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
 
 		$out = array();
 		foreach( $attribs as $attribute => $value ) {
-			#allow XML namespace declaration. Useful especially with RDFa
-			if ( preg_match( MW_XMLNS_ATTRIBUTE_PATTRN, $attribute ) ) {
+			#allow XML namespace declaration if RDFa is enabled
+			if ( $wgAllowRdfaAttributes && preg_match( MW_XMLNS_ATTRIBUTE_PATTRN, $attribute ) ) {
 				if ( !preg_match( MW_EVIL_URI_PATTERN, $value ) ) {
 					$out[$attribute] = $value;
 				}
-- 
2.20.1