From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 27 Jun 2016 09:47:21 +0000 (-0400)
Subject: Fix misleading comment about svg filtering.
X-Git-Tag: 1.31.0-rc.0~6514^2
X-Git-Url: https://git.cyclocoop.org/%7B%7B%20url_for%28?a=commitdiff_plain;h=c631aa894b60dd0da702717460e6387967727d13;p=lhc%2Fweb%2Fwiklou.git

Fix misleading comment about svg filtering.

Follow-up 551d79a3e6754. See also Bug T122653.

Change-Id: I0662dc6618596bb3a3bad345de45b054b6f7f968
---

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index ba5171f523..5ec49ba6a8 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1416,7 +1416,10 @@ abstract class UploadBase {
 				return [ 'uploaded-event-handler-on-svg', $attrib, $value ];
 			}
 
-			# href with non-local target (don't allow http://, javascript:, etc)
+			# Do not allow relative links, or unsafe url schemas.
+			# For <a> tags, only data:, http: and https: and same-document
+			# fragment links are allowed. For all other tags, only data:
+			# and fragment are allowed.
 			if ( $stripped == 'href'
 				&& strpos( $value, 'data:' ) !== 0
 				&& strpos( $value, '#' ) !== 0