}
$badtag = false;
- if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
# Check our stack
if ( $slash && isset( $htmlsingleonly[$t] ) ) {
$badtag = true;
$badtag = true;
} elseif ( in_array( $t, $tagstack ) && !isset( $htmlnest[$t] ) ) {
$badtag = true;
- # Is it a self closed htmlpair ? (bug 5487)
+ # Is it a self closed htmlpair ? (bug 5487)
} elseif ( $brace == '/>' && isset( $htmlpairs[$t] ) ) {
$badtag = true;
} elseif ( isset( $htmlsingleonly[$t] ) ) {
list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
$badtag = false;
- if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
if ( is_callable( $processCallback ) ) {
call_user_func_array( $processCallback, array( &$params, $args ) );
}
$out = array();
foreach ( $attribs as $attribute => $value ) {
- #allow XML namespace declaration if RDFa is enabled
+ # allow XML namespace declaration if RDFa is enabled
if ( $wgAllowRdfaAttributes && preg_match( self::XMLNS_ATTRIBUTE_PATTERN, $attribute ) ) {
if ( !preg_match( self::EVIL_URI_PATTERN, $value ) ) {
$out[$attribute] = $value;
}
# Allow any attribute beginning with "data-"
- if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+ # However:
+ # * data-ooui is reserved for ooui
+ # * data-mw and data-parsoid are reserved for parsoid
+ # * data-mw-<ext name here> is reserved for extensions (or core) if
+ # they need to communicate some data to the client and want to be
+ # sure that it isn't coming from an untrusted user.
+ if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+ && !isset( $whitelist[$attribute] )
+ ) {
continue;
}
|| $attribute === 'itemref' || $attribute === 'itemscope'
|| $attribute === 'itemtype'
) {
- //Paranoia. Allow "simple" values but suppress javascript
+ // Paranoia. Allow "simple" values but suppress javascript
if ( preg_match( self::EVIL_URI_PATTERN, $value ) ) {
continue;
}
# validation code that can be used by tag hook handlers, etc
if ( $attribute === 'href' || $attribute === 'src' ) {
if ( !preg_match( $hrefExp, $value ) ) {
- continue; //drop any href or src attributes not using an allowed protocol.
+ continue; // drop any href or src attributes not using an allowed protocol.
// NOTE: this also drops all relative URLs
}
}
# rbc
'rb' => $common,
'rp' => $common,
- 'rt' => $common, #array_merge( $common, array( 'rbspan' ) ),
+ 'rt' => $common, # array_merge( $common, array( 'rbspan' ) ),
'rtc' => $common,
# MathML root element, where used for extensions