From: Arlo Breault <abreault@wikimedia.org>
Date: Fri, 4 Aug 2017 17:48:36 +0000 (-0400)
Subject: sanitizer: Match Parsoid's attribute sanitation
X-Git-Tag: 1.31.0-rc.0~2429
X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dmembres/cotisations/gestion/rappel_supprimer.php?a=commitdiff_plain;h=f776bd448890a72c0b5f9185edf996e7b9022411;p=lhc%2Fweb%2Fwiklou.git

sanitizer: Match Parsoid's attribute sanitation

Change-Id: I23323dced95c80eb24aa65df68dcbe5ecbad1c75
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 1562288537..b6b7922615 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -1914,7 +1914,7 @@ class Sanitizer {
 			# Not usually allowed, but may be used for extension-style hooks
 			# such as <math> when it is rasterized, or if $wgAllowImageTag is
 			# true
-			'img'        => array_merge( $common, [ 'alt', 'src', 'width', 'height' ] ),
+			'img'        => array_merge( $common, [ 'alt', 'src', 'width', 'height', 'srcset' ] ),
 
 			'video'      => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ),
 			'source'     => array_merge( $common, [ 'type', 'src' ] ),
@@ -1951,6 +1951,10 @@ class Sanitizer {
 			# https://www.w3.org/TR/REC-MathML/
 			'math'       => [ 'class', 'style', 'id', 'title' ],
 
+			// HTML 5 section 4.5
+			'figure'     => $common,
+			'figcaption' => $common,
+
 			# HTML 5 section 4.6
 			'bdi' => $common,
 
@@ -1966,7 +1970,7 @@ class Sanitizer {
 			// (ie: validateTag rejects tags missing the attributes needed for Microdata)
 			// So we don't bother including $common attributes that have no purpose.
 			'meta' => [ 'itemprop', 'content' ],
-			'link' => [ 'itemprop', 'href' ],
+			'link' => [ 'itemprop', 'href', 'title' ],
 		];
 
 		return $whitelist;