dépôts
/
lhc
/
web
/
wiklou.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
6af8dcf
)
Fix misleading comment about svg filtering.
author
Brian Wolff
<bawolff+wn@gmail.com>
Mon, 27 Jun 2016 09:47:21 +0000
(
05:47
-0400)
committer
Brian Wolff
<bawolff+wn@gmail.com>
Mon, 27 Jun 2016 09:47:21 +0000
(
05:47
-0400)
Follow-up
551d79a3e6754
. See also Bug T122653.
Change-Id: I0662dc6618596bb3a3bad345de45b054b6f7f968
includes/upload/UploadBase.php
patch
|
blob
|
history
diff --git
a/includes/upload/UploadBase.php
b/includes/upload/UploadBase.php
index
ba5171f
..
5ec49ba
100644
(file)
--- a/
includes/upload/UploadBase.php
+++ b/
includes/upload/UploadBase.php
@@
-1416,7
+1416,10
@@
abstract class UploadBase {
return [ 'uploaded-event-handler-on-svg', $attrib, $value ];
}
- # href with non-local target (don't allow http://, javascript:, etc)
+ # Do not allow relative links, or unsafe url schemas.
+ # For <a> tags, only data:, http: and https: and same-document
+ # fragment links are allowed. For all other tags, only data:
+ # and fragment are allowed.
if ( $stripped == 'href'
&& strpos( $value, 'data:' ) !== 0
&& strpos( $value, '#' ) !== 0