Html: Unblacklist HTML5 form validation attributes

We blacklisted them in 2010. Modern browsers support them fairly well, and it doesn't seem to conflict with any of our code. I tested this with SecurePoll poll creation form, which contains an astonishingly wide range of form controls and validation options. Change-Id: I08244addcf9b6eb96137895f28e7b750914fef5c
2016-11-24 16:18:24 +01:00 · 2016-11-24 16:18:24 +01:00 · 86e9469e5d
commit 86e9469e5d
parent 38cc8a697f
3 changed files with 5 additions and 45 deletions
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@ -46,6 +46,10 @@ production.
  of the page being parsed.
 * Added JavaScript that provides as-you-type suggestions for reason
  on the block, delete and protect forms.
+* HTML5 form validation attributes will no longer be suppressed. Originally
+  browsers had poor support for them, but modern browsers handle them fine.
+  This might affect some forms that used them and only worked because the
+  attributes were not actually being set.

 === External library changes in 1.29 ===

@ -171,6 +175,7 @@ changes to languages because of Phabricator reports.
 * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
 * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
 * RedisConnectionPool::handleException (deprecated since 1.23) was removed.
+
 == Compatibility ==

 MediaWiki 1.29 requires PHP 5.5.9 or later. There is experimental support for
--- a/includes/Html.php
+++ b/includes/Html.php
@ -485,22 +485,6 @@ class Html {
 			// and better compression anyway.
 			$key = strtolower( $key );

-			// Bug 23769: Blacklist all form validation attributes for now.  Current
-			// (June 2010) WebKit has no UI, so the form just refuses to submit
-			// without telling the user why, which is much worse than failing
-			// server-side validation.  Opera is the only other implementation at
-			// this time, and has ugly UI, so just kill the feature entirely until
-			// we have at least one good implementation.
-
-			// As the default value of "1" for "step" rejects decimal
-			// numbers to be entered in 'type="number"' fields, allow
-			// the special case 'step="any"'.
-
-			if ( in_array( $key, [ 'max', 'min', 'pattern', 'required' ] )
-				|| $key === 'step' && $value !== 'any' ) {
-				continue;
-			}
-
 			// https://www.w3.org/TR/html401/index/attributes.html ("space-separated")
 			// https://www.w3.org/TR/html5/index.html#attributes-1 ("space-separated")
 			$spaceSeparatedListAttributes = [
--- a/tests/phpunit/includes/HtmlTest.php
+++ b/tests/phpunit/includes/HtmlTest.php
@ -633,35 +633,6 @@ class HtmlTest extends MediaWikiTestCase {
 		return $ret;
 	}

-	/**
-	 * @covers Html::expandAttributes
-	 */
-	public function testFormValidationBlacklist() {
-		$this->assertEmpty(
-			Html::expandAttributes( [
-				'min' => 1,
-				'max' => 100,
-				'pattern' => 'abc',
-				'required' => true,
-				'step' => 2
-			] ),
-			'Blacklist form validation attributes.'
-		);
-		$this->assertEquals(
-			' step="any"',
-			Html::expandAttributes(
-				[
-					'min' => 1,
-					'max' => 100,
-					'pattern' => 'abc',
-					'required' => true,
-					'step' => 'any'
-				],
-				'Allow special case "step=any".'
-			)
-		);
-	}
-
 	public function testWrapperInput() {
 		$this->assertEquals(
 			'<input type="radio" value="testval" name="testname"/>',