From b62f0e91564f1e1cb88c8dc063845bc1459e79ab Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Thu, 12 Nov 2015 23:24:52 -0500 Subject: [PATCH] Reserve data-mw and data-parsoid attribute prefix for trusted values Don't let users set attributes starting with data-mw or data-parsoid. The main idea is to allow MediaWiki to use data-mw- attributes for trusted input to client side scripts. There have been a couple security vulnerabilities in the past based on users being able to manipulate a data attribute, which client side was assuming was trusted. Also include data-mw and data-parsoid as both are used by Parsoid currently. See https://lists.wikimedia.org/pipermail/wikitech-l/2015-November/083811.html A corresponding change will also have to be made in Parsoid. Change-Id: I06585380bde3bc57b17ad76740c5acc2056d7c44 --- includes/Sanitizer.php | 10 +++++++++- tests/parser/parserTests.txt | 9 +++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index a856f1ee10..5443e6827b 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -750,7 +750,15 @@ class Sanitizer { } # Allow any attribute beginning with "data-" - if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) { + # However: + # * data-ooui is reserved for ooui + # * data-mw and data-parsoid are reserved for parsoid + # * data-mw- is reserved for extensions (or core) if + # they need to communicate some data to the client and want to be + # sure that it isn't coming from an untrusted user. + if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute ) + && !isset( $whitelist[$attribute] ) + ) { continue; } diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index 58860e98fe..c456fcb9de 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -26339,3 +26339,12 @@ Empty LI (T49673)
  • b
    • !! end + +!! test +reserved data attributes stripped +!! wikitext +
    d
    +!! html +
    d
    + +!! end -- 2.20.1