r58711 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r58710‎ | r58711 | r58712 >
Date:15:03, 7 November 2009
Author:daniel
Status:ok (Comments)
Tags:
Comment:
reverting r58694, needs to be done as parser tag hook in order to register as external link.
Modified paths:
  • /trunk/phase3/includes/Sanitizer.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/Sanitizer.php
@@ -353,7 +353,7 @@
354354 if ( !$staticInitialised ) {
355355
356356 $htmlpairsStatic = array( # Tags that must be closed
357 - 'a', 'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
 357+ 'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
358358 'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
359359 'strike', 'strong', 'tt', 'var', 'div', 'center',
360360 'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
@@ -605,8 +605,6 @@
606606 */
607607 static function validateAttributes( $attribs, $whitelist ) {
608608 $whitelist = array_flip( $whitelist );
609 - $hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
610 -
611609 $out = array();
612610 foreach( $attribs as $attribute => $value ) {
613611 if( !isset( $whitelist[$attribute] ) ) {
@@ -628,23 +626,6 @@
629627 $wgEnforceHtmlIds ? 'noninitial' : 'xml' );
630628 }
631629
632 - if ( $attribute === 'href' || $attribute === 'src' ) {
633 - if ( !preg_match( $hrefExp, $value ) ) {
634 - continue; //drop any href or src attributes not using an allowed protocol.
635 - //NOTE: this also drops all relative URLs
636 - }
637 - }
638 -
639 - //RDFa properties allow URIs. check them
640 - if ( $attribute === 'rel' || $attribute === 'rev' ||
641 - $attribute === 'about' || $attribute === 'property' || $attribute === 'resource' ||
642 - $attribute === 'datatype' || $attribute === 'typeof' ) {
643 - //Paranoia. Allow "simple" values but suppress javascript
644 - if ( preg_match( '/(^|\s)javascript\s*:/i', $value ) ) {
645 - continue;
646 - }
647 - }
648 -
649630 // If this attribute was previously set, override it.
650631 // Output should only have one attribute of each name.
651632 $out[$attribute] = $value;
@@ -1173,11 +1154,7 @@
11741155 * @return Array
11751156 */
11761157 static function setupAttributeWhitelist() {
1177 - $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style',
1178 - #RDFa attributes as specified in section 9 of http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
1179 - 'about', 'property', 'resource', 'datatype', 'typeof',
1180 - );
1181 -
 1158+ $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
11821159 $block = array_merge( $common, array( 'align' ) );
11831160 $tablealign = array( 'align', 'char', 'charoff', 'valign' );
11841161 $tablecell = array( 'abbr',
@@ -1283,9 +1260,6 @@
12841261 'td' => array_merge( $common, $tablecell, $tablealign ),
12851262 'th' => array_merge( $common, $tablecell, $tablealign ),
12861263
1287 - # 12.2
1288 - 'a' => array_merge( $common, array( 'href', 'rel', 'rev' ) ), # rel/rev esp. for RDFa
1289 -
12901264 # 13.2
12911265 # Not usually allowed, but may be used for extension-style hooks
12921266 # such as <math> when it is rasterized

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r58694allow <a> tags and RDFa attributes to support RDFa output from license templa...daniel09:43, 7 November 2009

Comments

#Comment by Tim Starling (talk | contribs)   02:11, 11 January 2010

My comments on this project are at r58717.

Status & tagging log