Follows-up
9cfb9cb9fba, and
b62f0e91564.
Add data-mw="interface" to elements created by the interface
(e.g. not user-generated content) and use this to narrow down
scope of elements eligible for JavaScript binding.
This avoids bugs where e.g. the diff hook triggers on a wiki page about diffs.
This isn't a security issue per-se, but causing odd behaviour.
Also add missing tests for data-ooui filtering (follows-up
aa9a52da).
Change-Id: I9a0c86c92d411538bd9e203ec6ae54616fdf49b8
# However:
# * data-ooui is reserved for ooui
# * data-mw and data-parsoid are reserved for parsoid
- # * data-mw-<ext name here> is reserved for extensions (or core) if
+ # * data-mw-<name here> is reserved for extensions (or core) if
# they need to communicate some data to the client and want to be
# sure that it isn't coming from an untrusted user.
if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
public function addHeader( $diff, $otitle, $ntitle, $multi = '', $notice = '' ) {
// shared.css sets diff in interface language/dir, but the actual content
// is often in a different language, mostly the page content language/dir
- $tableClass = 'diff diff-contentalign-' . htmlspecialchars( $this->getDiffLang()->alignStart() );
- $header = "<table class='$tableClass'>";
+ $header = Html::openElement( 'table', array(
+ 'class' => array( 'diff', 'diff-contentalign-' . $this->getDiffLang()->alignStart() ),
+ 'data-mw' => 'interface',
+ ) );
$userLang = htmlspecialchars( $this->getLanguage()->getHtmlCode() );
if ( !$diff && !$otitle ) {
*/
mw.hook( 'wikipage.content' ).fire( $( '#mw-content-text' ) );
- var $diff = $( 'table.diff' );
+ var $diff = $( 'table.diff[data-mw="interface"]' );
if ( $diff.length ) {
/**
* Fired when the diff is added to a page containing a diff
!! end
+!! test
+Strip reserved data attributes
+!! wikitext
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
+!! html
+<div data-ok="fred">d</div>
+
+!! end
+
!! test
percent-encoding and + signs in internal links (Bug 26410)
!! wikitext
<li>b</li>
</ul>
!! end
-
-!! test
-reserved data attributes stripped
-!! wikitext
-<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
-!! html
-<div data-ok="fred">d</div>
-
-!! end