From 86e9469e5dfc8fccc4fbdfb0861609e5b6659f5d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bartosz=20Dziewo=C5=84ski?= Date: Thu, 24 Nov 2016 16:18:24 +0100 Subject: [PATCH] Html: Unblacklist HTML5 form validation attributes We blacklisted them in 2010. Modern browsers support them fairly well, and it doesn't seem to conflict with any of our code. I tested this with SecurePoll poll creation form, which contains an astonishingly wide range of form controls and validation options. Change-Id: I08244addcf9b6eb96137895f28e7b750914fef5c --- RELEASE-NOTES-1.29 | 5 +++++ includes/Html.php | 16 ---------------- tests/phpunit/includes/HtmlTest.php | 29 ----------------------------- 3 files changed, 5 insertions(+), 45 deletions(-) diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29 index 116ef31aad..4174876c99 100644 --- a/RELEASE-NOTES-1.29 +++ b/RELEASE-NOTES-1.29 @@ -46,6 +46,10 @@ production. of the page being parsed. * Added JavaScript that provides as-you-type suggestions for reason on the block, delete and protect forms. +* HTML5 form validation attributes will no longer be suppressed. Originally + browsers had poor support for them, but modern browsers handle them fine. + This might affect some forms that used them and only worked because the + attributes were not actually being set. === External library changes in 1.29 === @@ -171,6 +175,7 @@ changes to languages because of Phabricator reports. * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed. * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed. * RedisConnectionPool::handleException (deprecated since 1.23) was removed. + == Compatibility == MediaWiki 1.29 requires PHP 5.5.9 or later. There is experimental support for diff --git a/includes/Html.php b/includes/Html.php index 0b6b6556ac..b46ea81c5e 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -485,22 +485,6 @@ class Html { // and better compression anyway. $key = strtolower( $key ); - // Bug 23769: Blacklist all form validation attributes for now. Current - // (June 2010) WebKit has no UI, so the form just refuses to submit - // without telling the user why, which is much worse than failing - // server-side validation. Opera is the only other implementation at - // this time, and has ugly UI, so just kill the feature entirely until - // we have at least one good implementation. - - // As the default value of "1" for "step" rejects decimal - // numbers to be entered in 'type="number"' fields, allow - // the special case 'step="any"'. - - if ( in_array( $key, [ 'max', 'min', 'pattern', 'required' ] ) - || $key === 'step' && $value !== 'any' ) { - continue; - } - // https://www.w3.org/TR/html401/index/attributes.html ("space-separated") // https://www.w3.org/TR/html5/index.html#attributes-1 ("space-separated") $spaceSeparatedListAttributes = [ diff --git a/tests/phpunit/includes/HtmlTest.php b/tests/phpunit/includes/HtmlTest.php index e2ee193416..b7249e5d94 100644 --- a/tests/phpunit/includes/HtmlTest.php +++ b/tests/phpunit/includes/HtmlTest.php @@ -633,35 +633,6 @@ class HtmlTest extends MediaWikiTestCase { return $ret; } - /** - * @covers Html::expandAttributes - */ - public function testFormValidationBlacklist() { - $this->assertEmpty( - Html::expandAttributes( [ - 'min' => 1, - 'max' => 100, - 'pattern' => 'abc', - 'required' => true, - 'step' => 2 - ] ), - 'Blacklist form validation attributes.' - ); - $this->assertEquals( - ' step="any"', - Html::expandAttributes( - [ - 'min' => 1, - 'max' => 100, - 'pattern' => 'abc', - 'required' => true, - 'step' => 'any' - ], - 'Allow special case "step=any".' - ) - ); - } - public function testWrapperInput() { $this->assertEquals( '', -- 2.20.1