daniel at svn
Nov 7, 2009, 7:13 AM
Post #1 of 1
(12 views)
Permalink
|
|
SVN: [58712] trunk/phase3/includes/Sanitizer.php
|
|
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/58712
Revision: 58712
Author: daniel
Date: 2009-11-07 15:13:38 +0000 (Sat, 07 Nov 2009)
Log Message:
-----------
allow RDFa attributes; missing support for <a>, will be added as a parser tag hook
Modified Paths:
--------------
trunk/phase3/includes/Sanitizer.php
Modified: trunk/phase3/includes/Sanitizer.php
===================================================================
--- trunk/phase3/includes/Sanitizer.php 2009-11-07 15:03:04 UTC (rev 58711)
+++ trunk/phase3/includes/Sanitizer.php 2009-11-07 15:13:38 UTC (rev 58712)
@@ -626,6 +626,16 @@
$wgEnforceHtmlIds ? 'noninitial' : 'xml' );
}
+ //RDFa properties allow URIs. check them
+ if ( $attribute === 'rel' || $attribute === 'rev' ||
+ $attribute === 'about' || $attribute === 'property' || $attribute === 'resource' ||
+ $attribute === 'datatype' || $attribute === 'typeof' ) {
+ //Paranoia. Allow "simple" values but suppress javascript
+ if ( preg_match( '/(^|\s)javascript\s*:/i', $value ) ) {
+ continue;
+ }
+ }
+
// If this attribute was previously set, override it.
// Output should only have one attribute of each name.
$out[$attribute] = $value;
@@ -1154,7 +1164,11 @@
* @return Array
*/
static function setupAttributeWhitelist() {
- $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
+ $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style',
+ #RDFa attributes as specified in section 9 of http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
+ 'about', 'property', 'resource', 'datatype', 'typeof',
+ );
+
$block = array_merge( $common, array( 'align' ) );
$tablealign = array( 'align', 'char', 'charoff', 'valign' );
$tablecell = array( 'abbr',
_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
|
