* Can be overridden by subclasses.
*
* @param User $user
- * @return bool
+ * @return bool|string
*/
public static function isAllowed( $user ) {
foreach ( array( 'upload', 'edit' ) as $permission ) {
public function checkSvgScriptCallback( $element, $attribs ) {
list( $namespace, $strippedElement ) = $this->splitXmlNamespace( $element );
+ // We specifically don't include:
+ // http://www.w3.org/1999/xhtml (bug 60771)
static $validNamespaces = array(
'',
'adobe:ns:meta/',
'http://purl.org/dc/elements/1.1',
'http://schemas.microsoft.com/visio/2003/svgextensions/',
'http://sodipodi.sourceforge.net/dtd/sodipodi-0.dtd',
+ 'http://taptrix.com/inkpad/svg_extensions',
'http://web.resource.org/cc/',
'http://www.freesoftware.fsf.org/bkchem/cdml',
'http://www.inkscape.org/namespaces/inkscape',
+ 'http://www.opengis.net/gml',
'http://www.w3.org/1999/02/22-rdf-syntax-ns#',
'http://www.w3.org/2000/svg',
+ 'http://www.w3.org/tr/rec-rdf-syntax/',
);
if ( !in_array( $namespace, $validNamespaces ) ) {
return true;
}
- # href with javascript target
- if ( $stripped == 'href' && strpos( strtolower( $value ), 'javascript:' ) !== false ) {
- wfDebug( __METHOD__
- . ": Found script in href attribute '$attrib'='$value' in uploaded file.\n" );
+ # href with non-local target (don't allow http://, javascript:, etc)
+ if ( $stripped == 'href'
+ && strpos( $value, 'data:' ) !== 0
+ && strpos( $value, '#' ) !== 0
+ ) {
+ if ( !( $strippedElement === 'a'
+ && preg_match( '!^https?://!im', $value ) )
+ ) {
+ wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
+ . "'$attrib'='$value' in uploaded file.\n" );
- return true;
+ return true;
+ }
}
# href with embedded svg as target
dépôts / lhc / web / wiklou.git / blobdiff