SECURITY: Do not allow data-ooui attributes in wikitext
We now automatically infuse any element with a data-ooui attribute, so allowing them in wikitext allows rendering any arbitrary OOUI widget, some of which (ButtonWidget) are unsafe and can lead to XSS. By blacklisting data-ooui, widgets cannot be created in wikitext. T101666 will enable a safe-subset of them. Bug: T105413 Change-Id: I3f63594a41e9cac3219791e181a2f93818178263
This commit is contained in:
Kunal Mehta
parent
b8ced862bb
commit
aa9a52da42
1 changed files with 1 additions and 1 deletions
|
|
@ -753,7 +753,7 @@ class Sanitizer {
|
|||
}
|
||||
|
||||
# Allow any attribute beginning with "data-"
|
||||
if ( !preg_match( '/^data-/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
|
||||
if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue