Change-Id: Ia76c74941b09e3ad131fe2fee31ffec3e540170b
# * data-mw-<name here> is reserved for extensions (or core) if
# they need to communicate some data to the client and want to be
# sure that it isn't coming from an untrusted user.
- if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+ # * Ensure that the attribute is not namespaced by banning
+ # colons.
+ if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', $attribute )
&& !isset( $whitelist[$attribute] )
) {
continue;
!! test
Strip reserved data attributes
!! wikitext
-<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy" data-bad:ns="ns">d</div>
!! html
<div data-ok="fred">d</div>