r65337 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r65336‎ \| r65337 \| r65338 >
Date:	19:04, 20 April 2010
Author:	platonides
Status:	ok
Tags:
Comment:	Follow up r65286. If we are going to support <img we should support width and height attributes, too. Since there's a potential for creating webbugs of 1x1px we might want to enforce a minimum size for them. But that has always existed when the attacker provides the image. The sanitizer isn't treating numeric-like arguments in a special way. That is something to fix.
Modified paths:	/trunk/phase3/includes/Sanitizer.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/Sanitizer.php
—	—	@@ -1411,7 +1411,7 @@
1412	1412	# Not usually allowed, but may be used for extension-style hooks
1413	1413	# such as <math> when it is rasterized, or if $wgAllowImageTag is
1414	1414	# true
1415		~~- 'img' => array_merge( $common, array( 'alt', 'src' ) ),~~
	1415	+ 'img' => array_merge( $common, array( 'alt', 'src', 'width', 'height' ) ),
1416	1416
1417	1417	# 15.2.1
1418	1418	'tt' => $common,

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r65286	Create $wgAllowImageTag to whitelist <img>...	simetrical	18:44, 19 April 2010

Status & tagging log

09:46, 31 August 2010 Tim Starling (talk | contribs) changed the status of r65337 [removed: new added: ok]