Don't let users set attributes starting with data-mw or data-parsoid.
The main idea is to allow MediaWiki to use data-mw-<something>
attributes for trusted input to client side scripts. There have
been a couple security vulnerabilities in the past based on users
being able to manipulate a data attribute, which client side was
assuming was trusted.
Also include data-mw and data-parsoid as both are used by Parsoid
currently.
See https://lists.wikimedia.org/pipermail/wikitech-l/2015-November/083811.html
A corresponding change will also have to be made in Parsoid.
Change-Id: I06585380bde3bc57b17ad76740c5acc2056d7c44
}
# Allow any attribute beginning with "data-"
- if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+ # However:
+ # * data-ooui is reserved for ooui
+ # * data-mw and data-parsoid are reserved for parsoid
+ # * data-mw-<ext name here> is reserved for extensions (or core) if
+ # they need to communicate some data to the client and want to be
+ # sure that it isn't coming from an untrusted user.
+ if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+ && !isset( $whitelist[$attribute] )
+ ) {
continue;
}
<li>b</li>
</ul>
!! end
+
+!! test
+reserved data attributes stripped
+!! wikitext
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
+!! html
+<div data-ok="fred">d</div>
+
+!! end