From 4c5e89c1aca97fbca25563c055aa5149f7239e2a Mon Sep 17 00:00:00 2001
From: Aryeh Gregor
Date: Mon, 18 Jan 2010 01:30:41 +0000
Subject: [PATCH] Strip some microdata attributes when invalid
---
includes/Sanitizer.php | 25 ++++++++++++++++++++++++-
maintenance/parserTests.txt | 26 ++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 0487762205..adfbd5a5ac 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -620,7 +620,7 @@ class Sanitizer {
* @todo Check for unique id attribute :P
*/
static function validateAttributes( $attribs, $whitelist ) {
- global $wgAllowRdfaAttributes;
+ global $wgAllowRdfaAttributes, $wgAllowMicrodataAttributes;
$whitelist = array_flip( $whitelist );
$hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
@@ -682,6 +682,29 @@ class Sanitizer {
// Output should only have one attribute of each name.
$out[$attribute] = $value;
}
+
+ if ( $wgAllowMicrodataAttributes ) {
+ # There are some complicated validity constraints we need to
+ # enforce here. First of all, we don't want to allow non-standard
+ # itemtypes.
+ $allowedTypes = array(
+ 'http://microformats.org/profile/hcard',
+ 'http://microformats.org/profile/hcalendar#vevent',
+ 'http://n.whatwg.org/work',
+ );
+ if ( isset( $out['itemtype'] ) && !in_array( $out['itemtype'],
+ $allowedTypes ) ) {
+ # Kill everything
+ unset( $out['itemscope'] );
+ }
+ # itemtype, itemid, itemref don't make sense without itemscope
+ if ( !array_key_exists( 'itemscope', $out ) ) {
+ unset( $out['itemtype'] );
+ unset( $out['itemid'] );
+ unset( $out['itemref'] );
+ }
+ # TODO: Strip itemprop if we aren't descendants of an itemscope.
+ }
return $out;
}
diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index 1283a4b645..4b45f5852c 100644
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -7764,6 +7764,32 @@ license.
!! end
+!! test
+Microdata: license example from spec with bad itemtype
+!! input
+
+!! result
+
+
+!! end
+
--
2.20.1