HomePhabricator

Reserve data-mw and data-parsoid attribute prefix for trusted values

Description

Reserve data-mw and data-parsoid attribute prefix for trusted values

Don't let users set attributes starting with data-mw or data-parsoid.
The main idea is to allow MediaWiki to use data-mw-<something>
attributes for trusted input to client side scripts. There have
been a couple security vulnerabilities in the past based on users
being able to manipulate a data attribute, which client side was
assuming was trusted.

Also include data-mw and data-parsoid as both are used by Parsoid
currently.

See https://lists.wikimedia.org/pipermail/wikitech-l/2015-November/083811.html

A corresponding change will also have to be made in Parsoid.

Change-Id: I06585380bde3bc57b17ad76740c5acc2056d7c44

Details

Provenance
BawolffAuthored on
LegoktmCommitted on Dec 9 2015, 6:47 AM
Parents
rMWe1ebc2de02ef: Merge "Followup a88df43d: make $wgDebugDumpSql log commented queries again"
Branches
Unknown
Tags
Unknown
ChangeId
I06585380bde3bc57b17ad76740c5acc2056d7c44