dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b8ced86) | patch
SECURITY: Do not allow data-ooui attributes in wikitext
authorKunal Mehta <legoktm@gmail.com>
Thu, 9 Jul 2015 22:56:17 +0000 (15:56 -0700)
committerKunal Mehta <legoktm@gmail.com>
Fri, 10 Jul 2015 20:28:05 +0000 (13:28 -0700)
commitaa9a52da42da43576d5a31ea42557fb40a885d2e
tree9ce7edf3920d283f221482b7323acc36dbe63668tree | snapshot
parentb8ced862bba14e25d3960638b9534c3c03b4c5cecommit | diff
SECURITY: Do not allow data-ooui attributes in wikitext

We now automatically infuse any element with a data-ooui attribute, so
allowing them in wikitext allows rendering any arbitrary OOUI widget,
some of which (ButtonWidget) are unsafe and can lead to XSS.

By blacklisting data-ooui, widgets cannot be created in wikitext.
T101666 will enable a safe-subset of them.

Bug: T105413
Change-Id: I3f63594a41e9cac3219791e181a2f93818178263
includes/Sanitizer.php diff | blob | history
Wiklou, le Wiki du Wiklou