From: Kunal Mehta <legoktm@gmail.com>
Date: Thu, 9 Jul 2015 22:56:17 +0000 (-0700)
Subject: SECURITY: Do not allow data-ooui attributes in wikitext
X-Git-Tag: 1.31.0-rc.0~10815
X-Git-Url: https://git.cyclocoop.org/%7B%24admin_url%7Dmembres/cotisations/rappels.php?a=commitdiff_plain;h=aa9a52da42da43576d5a31ea42557fb40a885d2e;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Do not allow data-ooui attributes in wikitext

We now automatically infuse any element with a data-ooui attribute, so
allowing them in wikitext allows rendering any arbitrary OOUI widget,
some of which (ButtonWidget) are unsafe and can lead to XSS.

By blacklisting data-ooui, widgets cannot be created in wikitext.
T101666 will enable a safe-subset of them.

Bug: T105413
Change-Id: I3f63594a41e9cac3219791e181a2f93818178263
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 2340cd9449..ddaf1b2d99 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -753,7 +753,7 @@ class Sanitizer {
 			}
 
 			# Allow any attribute beginning with "data-"
-			if ( !preg_match( '/^data-/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+			if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
 				continue;
 			}