From ea1a1cd5dbf4379c5fe9167eb7a226ccc96b5f91 Mon Sep 17 00:00:00 2001 From: Daniel Friesen Date: Fri, 19 Oct 2012 01:57:25 -0700 Subject: [PATCH] Support WAI-ARIA's role="presentation" inside of WikiText. - role="presentation" is the standard way to mark some element as presentational for assistive technologies, etc... Such as presentational tables. Something we have a lot of and need the ability to mark as presentational. - Other ARIA roles need more thought so for now they are not supported. Change-Id: I426ea04a8bc48181a71a308753525f3964201748 --- RELEASE-NOTES-1.21 | 3 +++ includes/Sanitizer.php | 23 ++++++++++++++++++++++- tests/phpunit/includes/SanitizerTest.php | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES-1.21 b/RELEASE-NOTES-1.21 index d1976ddb5d..12cef87cdc 100644 --- a/RELEASE-NOTES-1.21 +++ b/RELEASE-NOTES-1.21 @@ -96,6 +96,9 @@ production. * (bug 43915) New maintenance script deleteEqualMessages.php. * New collation uppercase-sv, which is like uppercase, but adapted to Swedish sort order. +* WikiText now permits the use of WAI-ARIA's role="presentation" inside of + html elements and tables. This allows presentational markup, especially + tables. To be marked up as such. === Bug fixes in 1.21 === * (bug 40353) SpecialDoubleRedirect should support interwiki redirects. diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index b50eca8029..c2d34b0b37 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -736,6 +736,16 @@ class Sanitizer { $value = Sanitizer::escapeId( $value, 'noninitial' ); } + # WAI-ARIA + # http://www.w3.org/TR/wai-aria/ + # http://www.whatwg.org/specs/web-apps/current-work/multipage/elements.html#wai-aria + # For now we only support role="presentation" until we work out what roles should be + # usable by content and we ensure that our code explicitly rejects patterns that + # violate HTML5's ARIA restrictions. + if ( $attribute === 'role' && $value !== 'presentation' ) { + continue; + } + //RDFa and microdata properties allow URLs, URIs and/or CURIs. check them for sanity if ( $attribute === 'rel' || $attribute === 'rev' || $attribute === 'about' || $attribute === 'property' || $attribute === 'resource' || #RDFa @@ -1416,7 +1426,18 @@ class Sanitizer { return $whitelist; } - $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' ); + $common = array( + # HTML + 'id', + 'class', + 'style', + 'lang', + 'dir', + 'title', + + # WAI-ARIA + 'role', + ); if ( $wgAllowRdfaAttributes ) { #RDFa attributes as specified in section 9 of http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014 diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php index 2d039d9f41..402e6b739c 100644 --- a/tests/phpunit/includes/SanitizerTest.php +++ b/tests/phpunit/includes/SanitizerTest.php @@ -225,4 +225,26 @@ class SanitizerTest extends MediaWikiTestCase { array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'), ); } + + /** + * Test for support or lack of support for specific attributes in the attribute whitelist. + */ + function provideAttributeSupport() { + /** array( , , ) */ + return array( + array( 'div', ' role="presentation"', ' role="presentation"', 'Support for WAI-ARIA\'s role="presentation".' ), + array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ), + ); + } + + /** + * @dataProvider provideAttributeSupport + */ + function testAttributeSupport( $tag, $attributes, $expected, $message ) { + $this->assertEquals( $expected, + Sanitizer::fixTagAttributes( $attributes, $tag ), + $message + ); + } + } -- 2.20.1