daniel at svn
Nov 7, 2009, 7:03 AM
Post #1 of 1
(11 views)
Permalink
|
|
SVN: [58711] trunk/phase3/includes/Sanitizer.php
|
|
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/58711
Revision: 58711
Author: daniel
Date: 2009-11-07 15:03:04 +0000 (Sat, 07 Nov 2009)
Log Message:
-----------
reverting r58694, needs to be done as parser tag hook in order to register as external link.
Modified Paths:
--------------
trunk/phase3/includes/Sanitizer.php
Modified: trunk/phase3/includes/Sanitizer.php
===================================================================
--- trunk/phase3/includes/Sanitizer.php 2009-11-07 14:23:41 UTC (rev 58710)
+++ trunk/phase3/includes/Sanitizer.php 2009-11-07 15:03:04 UTC (rev 58711)
@@ -353,7 +353,7 @@
if ( !$staticInitialised ) {
$htmlpairsStatic = array( # Tags that must be closed
- 'a', 'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
+ 'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
'strike', 'strong', 'tt', 'var', 'div', 'center',
'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
@@ -605,8 +605,6 @@
*/
static function validateAttributes( $attribs, $whitelist ) {
$whitelist = array_flip( $whitelist );
- $hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
-
$out = array();
foreach( $attribs as $attribute => $value ) {
if( !isset( $whitelist[$attribute] ) ) {
@@ -628,23 +626,6 @@
$wgEnforceHtmlIds ? 'noninitial' : 'xml' );
}
- if ( $attribute === 'href' || $attribute === 'src' ) {
- if ( !preg_match( $hrefExp, $value ) ) {
- continue; //drop any href or src attributes not using an allowed protocol.
- //NOTE: this also drops all relative URLs
- }
- }
-
- //RDFa properties allow URIs. check them
- if ( $attribute === 'rel' || $attribute === 'rev' ||
- $attribute === 'about' || $attribute === 'property' || $attribute === 'resource' ||
- $attribute === 'datatype' || $attribute === 'typeof' ) {
- //Paranoia. Allow "simple" values but suppress javascript
- if ( preg_match( '/(^|\s)javascript\s*:/i', $value ) ) {
- continue;
- }
- }
-
// If this attribute was previously set, override it.
// Output should only have one attribute of each name.
$out[$attribute] = $value;
@@ -1173,11 +1154,7 @@
* @return Array
*/
static function setupAttributeWhitelist() {
- $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style',
- #RDFa attributes as specified in section 9 of http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
- 'about', 'property', 'resource', 'datatype', 'typeof',
- );
-
+ $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
$block = array_merge( $common, array( 'align' ) );
$tablealign = array( 'align', 'char', 'charoff', 'valign' );
$tablecell = array( 'abbr',
@@ -1283,9 +1260,6 @@
'td' => array_merge( $common, $tablecell, $tablealign ),
'th' => array_merge( $common, $tablecell, $tablealign ),
- # 12.2
- 'a' => array_merge( $common, array( 'href', 'rel', 'rev' ) ), # rel/rev esp. for RDFa
-
# 13.2
# Not usually allowed, but may be used for extension-style hooks
# such as <math> when it is rasterized
_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
|
