RequestContext specifically.
* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
See StartProfiler.sample for details.
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
=== New features in 1.25 ===
* (bug 62861) Updated plural rules to CLDR 26. Includes incompatible changes
*/
$wgEnableCanonicalServerLink = false;
+/**
+ * When OutputHandler is used, mangle any output that contains
+ * <cross-domain-policy>. Without this, an attacker can send their own
+ * cross-domain policy unless it is prevented by the crossdomain.xml file at
+ * the domain root.
+ */
+$wgMangleFlashPolicy = true;
+
/** @} */ # End of output format settings }
/*************************************************************************//**
* @return string
*/
function wfOutputHandler( $s ) {
- global $wgDisableOutputCompression, $wgValidateAllHtml;
- $s = wfMangleFlashPolicy( $s );
+ global $wgDisableOutputCompression, $wgValidateAllHtml, $wgMangleFlashPolicy;
+ if ( $wgMangleFlashPolicy ) {
+ $s = wfMangleFlashPolicy( $s );
+ }
if ( $wgValidateAllHtml ) {
$headers = headers_list();
$isHTML = false;