We now automatically infuse any element with a data-ooui attribute, so
allowing them in wikitext allows rendering any arbitrary OOUI widget,
some of which (ButtonWidget) are unsafe and can lead to XSS.
By blacklisting data-ooui, widgets cannot be created in wikitext.
T101666 will enable a safe-subset of them.
Bug: T105413
Change-Id: I3f63594a41e9cac3219791e181a2f93818178263
}
# Allow any attribute beginning with "data-"
- if ( !preg_match( '/^data-/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+ if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
continue;
}