From c631aa894b60dd0da702717460e6387967727d13 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 27 Jun 2016 05:47:21 -0400
Subject: [PATCH] Fix misleading comment about svg filtering.

Follow-up 551d79a3e6754. See also Bug T122653.

Change-Id: I0662dc6618596bb3a3bad345de45b054b6f7f968
---
 includes/upload/UploadBase.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index ba5171f523..5ec49ba6a8 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1416,7 +1416,10 @@ abstract class UploadBase {
 				return [ 'uploaded-event-handler-on-svg', $attrib, $value ];
 			}
 
-			# href with non-local target (don't allow http://, javascript:, etc)
+			# Do not allow relative links, or unsafe url schemas.
+			# For <a> tags, only data:, http: and https: and same-document
+			# fragment links are allowed. For all other tags, only data:
+			# and fragment are allowed.
 			if ( $stripped == 'href'
 				&& strpos( $value, 'data:' ) !== 0
 				&& strpos( $value, '#' ) !== 0
-- 
2.20.1