From aa9a52da42da43576d5a31ea42557fb40a885d2e Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@gmail.com>
Date: Thu, 9 Jul 2015 15:56:17 -0700
Subject: [PATCH] SECURITY: Do not allow data-ooui attributes in wikitext

We now automatically infuse any element with a data-ooui attribute, so
allowing them in wikitext allows rendering any arbitrary OOUI widget,
some of which (ButtonWidget) are unsafe and can lead to XSS.

By blacklisting data-ooui, widgets cannot be created in wikitext.
T101666 will enable a safe-subset of them.

Bug: T105413
Change-Id: I3f63594a41e9cac3219791e181a2f93818178263
---
 includes/Sanitizer.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 2340cd9449..ddaf1b2d99 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -753,7 +753,7 @@ class Sanitizer {
 			}
 
 			# Allow any attribute beginning with "data-"
-			if ( !preg_match( '/^data-/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+			if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
 				continue;
 			}
 
-- 
2.20.1