From: Timo Tijhof <krinklemail@gmail.com>
Date: Thu, 3 Dec 2015 12:12:25 +0000 (+0000)
Subject: Don't trigger 'wikipage.diff' hook for content that looks like a diff
X-Git-Tag: 1.31.0-rc.0~8628^2
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/journal.php?a=commitdiff_plain;h=b1e3f9e38d7c74e080e99e58dac55629b9f0b097;p=lhc%2Fweb%2Fwiklou.git

Don't trigger 'wikipage.diff' hook for content that looks like a diff

Follows-up 9cfb9cb9fba, and b62f0e91564.

Add data-mw="interface" to elements created by the interface
(e.g. not user-generated content) and use this to narrow down
scope of elements eligible for JavaScript binding.

This avoids bugs where e.g. the diff hook triggers on a wiki page about diffs.
This isn't a security issue per-se, but causing odd behaviour.

Also add missing tests for data-ooui filtering (follows-up aa9a52da).

Change-Id: I9a0c86c92d411538bd9e203ec6ae54616fdf49b8
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index b1b5da2d59..4fc775ff4c 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -753,7 +753,7 @@ class Sanitizer {
 			# However:
 			# * data-ooui is reserved for ooui
 			# * data-mw and data-parsoid are reserved for parsoid
-			# * data-mw-<ext name here> is reserved for extensions (or core) if
+			# * data-mw-<name here> is reserved for extensions (or core) if
 			#   they need to communicate some data to the client and want to be
 			#   sure that it isn't coming from an untrusted user.
 			if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php
index 93f0f6ce52..781b6a6903 100644
--- a/includes/diff/DifferenceEngine.php
+++ b/includes/diff/DifferenceEngine.php
@@ -1068,8 +1068,10 @@ class DifferenceEngine extends ContextSource {
 	public function addHeader( $diff, $otitle, $ntitle, $multi = '', $notice = '' ) {
 		// shared.css sets diff in interface language/dir, but the actual content
 		// is often in a different language, mostly the page content language/dir
-		$tableClass = 'diff diff-contentalign-' . htmlspecialchars( $this->getDiffLang()->alignStart() );
-		$header = "<table class='$tableClass'>";
+		$header = Html::openElement( 'table', array(
+			'class' => array( 'diff', 'diff-contentalign-' . $this->getDiffLang()->alignStart() ),
+			'data-mw' => 'interface',
+		) );
 		$userLang = htmlspecialchars( $this->getLanguage()->getHtmlCode() );
 
 		if ( !$diff && !$otitle ) {
diff --git a/resources/src/mediawiki/page/startup.js b/resources/src/mediawiki/page/startup.js
index f2509e28fc..76bc36b090 100644
--- a/resources/src/mediawiki/page/startup.js
+++ b/resources/src/mediawiki/page/startup.js
@@ -28,7 +28,7 @@
 		 */
 		mw.hook( 'wikipage.content' ).fire( $( '#mw-content-text' ) );
 
-		var $diff = $( 'table.diff' );
+		var $diff = $( 'table.diff[data-mw="interface"]' );
 		if ( $diff.length ) {
 			/**
 			 * Fired when the diff is added to a page containing a diff
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index c456fcb9de..a0e0b3a220 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -20541,6 +20541,15 @@ HTML5 data attributes
 
 !! end
 
+!! test
+Strip reserved data attributes
+!! wikitext
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
+!! html
+<div data-ok="fred">d</div>
+
+!! end
+
 !! test
 percent-encoding and + signs in internal links (Bug 26410)
 !! wikitext
@@ -26339,12 +26348,3 @@ Empty LI (T49673)
 <li>b</li>
 </ul>
 !! end
-
-!! test
-reserved data attributes stripped
-!! wikitext
-<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
-!! html
-<div data-ok="fred">d</div>
-
-!! end