HomePhabricator

Don't permit < in html attribute positions

Authored by Arlolra on Aug 2 2018, 9:44 PM.

Description

Don't permit < in html attribute positions

Although it's acceptable by the html5 tokenizing spec, the php parse's
Sanitizer::removeHTMLtags explodes on the character so it just can't be
found in any position there.

However, it's ok in extension tags since those get stripped first.

A test is added which clarifies the difference.

Change-Id: Idb2cfcd110209eaab26a2e473e8e38884e19534b

Event Timeline

jenkins-bot <jenkins-bot@gerrit.wikimedia.org> committed rGPAR03ed2f3cab4c: Don't permit < in html attribute positions (authored by Arlolra).Aug 3 2018, 9:43 PM