X-Git-Url: http://git.cyclocoop.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=d41e559511622264901dd07f98dea775c387b7e8;hb=de8f8c8248341c007ab6a9365a3c40614bcf04dc;hp=a856f1ee10b81af3909943b72391155de187e8fc;hpb=a8181b4a8e009b7f7ee2443179919ba21d217356;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index a856f1ee10..d41e559511 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -750,7 +750,17 @@ class Sanitizer {
 			}
 
 			# Allow any attribute beginning with "data-"
-			if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+			# However:
+			# * data-ooui is reserved for ooui
+			# * data-mw and data-parsoid are reserved for parsoid
+			# * data-mw-<name here> is reserved for extensions (or core) if
+			#   they need to communicate some data to the client and want to be
+			#   sure that it isn't coming from an untrusted user.
+			# * Ensure that the attribute is not namespaced by banning
+			#   colons.
+			if ( !preg_match( '/^data-(?!ooui|mw|parsoid)[^:]*$/i', $attribute )
+				&& !isset( $whitelist[$attribute] )
+			) {
 				continue;
 			}
 
@@ -940,7 +950,6 @@ class Sanitizer {
 		return $value;
 	}
 
-
 	/**
 	 * Pick apart some CSS and check it for forbidden or unsafe structures.
 	 * Returns a sanitized string. This sanitized string will have
@@ -1631,7 +1640,7 @@ class Sanitizer {
 
 			# 10.2
 			'ul'         => array_merge( $common, array( 'type' ) ),
-			'ol'         => array_merge( $common, array( 'type', 'start' ) ),
+			'ol'         => array_merge( $common, array( 'type', 'start', 'reversed' ) ),
 			'li'         => array_merge( $common, array( 'type', 'value' ) ),
 
 			# 10.3