for (;;);{"error":null,"payload":{"timeline":"\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_163\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fxebb5lcfhtwwjzw53vy\/PHID-FILE-cnwypocea7npe636h5ki\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/gui-ying233\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11056862\" id=\"11056862\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-pencil phui-timeline-icon\" data-meta=\"0_162\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/gui-ying233\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_0\"\u003egui-ying233\u003c\/a\u003e created this task.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056862\" data-sigil=\"has-tooltip\" data-meta=\"0_161\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:39 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:39:38 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_166\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"display: none;\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11056872\" id=\"11056872\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_165\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003cspan class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_51\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-lock lightgreytext\" data-meta=\"0_52\" aria-hidden=\"true\"\u003e\u003c\/span\u003eRestricted Application\u003c\/span\u003e added a subscriber: \u003ca href=\"\/p\/Aklapper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_53\"\u003eAklapper\u003c\/a\u003e. \u003cspan class=\"phui-timeline-extra-information\"\u003e \u00b7  \u003ca href=\"\/herald\/transcript\/6685116\/\"\u003eView Herald Transcript\u003c\/a\u003e\u003c\/span\u003e\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056872\" data-sigil=\"has-tooltip\" data-meta=\"0_164\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:39 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:39:40 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_177\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_175\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_176\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11056905\" id=\"11056905\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_174\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_55\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e subscribed.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056905\" data-sigil=\"has-tooltip\" data-meta=\"0_173\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:45 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:45:10 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_171\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_172\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_54\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eThis is the same issue as {T401093} (see the \u201coriginally submitted to me\u201d mention there), so merging.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_186\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/zgaghsadinsmyhw2sjbo\/PHID-FILE-mcjdula35r2psvh4k5fx\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/dragon-fish\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11056908\" id=\"11056908\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_185\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_56\"\u003edragon-fish\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056908\" data-sigil=\"has-tooltip\" data-meta=\"0_184\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:45 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:45:15 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_182\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_183\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_57\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eAlso try this:\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"text\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e{{ #categorytree: test | data-\/onclick=alert("#categorytree") }}\n\n{{ #tag: syntaxhighlight | 123 | data- onclick= alert("#tag:syntaxhighlight") }}\n\n{{ #tag: poem | poem | data-><\/div><script>alert(123)<\/script><div = }}\u003c\/pre\u003e\u003c\/div\u003e\n\n\u003cp\u003egives:\u003c\/p\u003e\n\n\u003cp\u003eon page load:\u003cbr \/\u003e\n\u003cdiv class=\"phabricator-remarkup-embed-layout-left\"\u003e\u003ca href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/nncat32jybyubdz7zcul\/PHID-FILE-x2g22ugr67y6gqpcmjsr\/QQ_1754300067826.png\" class=\"phabricator-remarkup-embed-image\" data-sigil=\"lightboxable\" data-meta=\"0_2\"\u003e\u003cimg src=\"https:\/\/phab.wmfusercontent.org\/file\/data\/b6wschns4nqnfibpscu2\/PHID-FILE-fcb3zclebw55abcvtqnl\/preview-QQ_1754300067826.png\" width=\"220\" height=\"59.910714285714\" alt=\"QQ_1754300067826.png (244\u00d7896 px, 15 KB)\" \/\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/p\u003e\n\n\u003cp\u003eon click the elements:\u003cbr \/\u003e\n\u003cdiv class=\"phabricator-remarkup-embed-layout-left\"\u003e\u003ca href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/l4ltizripufnmepb4vpb\/PHID-FILE-xjobcalia6ciwqavb5i6\/QQ_1754300633592.png\" class=\"phabricator-remarkup-embed-image\" data-sigil=\"lightboxable\" data-meta=\"0_3\"\u003e\u003cimg src=\"https:\/\/phab.wmfusercontent.org\/file\/data\/6mtedg6sqsenx6jry2no\/PHID-FILE-wyoxcfbapetydu5l54ym\/preview-QQ_1754300633592.png\" width=\"220\" height=\"110.58510638298\" alt=\"QQ_1754300633592.png (1\u00d73 px, 1 MB)\" \/\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell phui-timeline-indigo\" data-sigil=\"transaction anchor-container\" data-meta=\"0_189\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11056910\" id=\"11056910\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill fill-has-color phui-timeline-icon-fill-indigo\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-check phui-timeline-icon\" data-meta=\"0_188\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_58\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e closed this task as a duplicate of \u003cspan class=\"phui-handle\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-lock lightgreytext\" data-meta=\"0_59\" aria-hidden=\"true\"\u003e\u003c\/span\u003eRestricted Task\u003c\/span\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056910\" data-sigil=\"has-tooltip\" data-meta=\"0_187\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:45 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:45:23 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_198\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fxebb5lcfhtwwjzw53vy\/PHID-FILE-cnwypocea7npe636h5ki\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/gui-ying233\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11056934\" id=\"11056934\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_197\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/gui-ying233\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_60\"\u003egui-ying233\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056934\" data-sigil=\"has-tooltip\" data-meta=\"0_196\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:51 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:51:24 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_194\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_195\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_61\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eSince I was the one who actually discovered this, please reopen this ticket and close the other one.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell phui-timeline-green\" data-sigil=\"transaction anchor-container\" data-meta=\"0_212\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_210\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_211\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11056966\" id=\"11056966\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill fill-has-color phui-timeline-icon-fill-green\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-exclamation-circle phui-timeline-icon\" data-meta=\"0_207\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_62\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e reopened this task as \u003cspan class=\"phui-timeline-value\"\u003eOpen\u003c\/span\u003e.\u003cspan class=\"phui-timeline-extra\"\u003eEdited\u003cspan class=\"visual-only\" aria-hidden=\"true\"\u003e \u00b7 \u003c\/span\u003e\u003ca href=\"#11056966\" data-sigil=\"has-tooltip\" data-meta=\"0_206\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:56 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:56:08 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill fill-has-color phui-timeline-icon-fill-green\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-arrow-right phui-timeline-icon\" data-meta=\"0_208\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_63\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e triaged this task as \u003cspan class=\"phui-timeline-value\"\u003eUnbreak Now!\u003c\/span\u003e priority.\u003c\/div\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill fill-has-color phui-timeline-icon-fill-orange\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-compress phui-timeline-icon\" data-meta=\"0_209\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_64\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e merged a task: \u003cspan class=\"\"\u003e\u003cspan class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_65\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-lock lightgreytext\" data-meta=\"0_66\" aria-hidden=\"true\"\u003e\u003c\/span\u003eRestricted Task\u003c\/span\u003e\u003c\/span\u003e.\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_204\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_205\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_67\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eWould something like this move in the direction of a fix?\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"diff\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e\u003cspan\u003e\u003c\/span\u003e\u003cspan class=\"gh\"\u003ediff --git i\/includes\/parser\/Sanitizer.php w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gh\"\u003eindex 2d6934bb93..a17a7e3c8d 100644\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e--- i\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+++ w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gu\"\u003e@@ -513,7 +513,7 @@ public static function validateAttributes( array $attribs, array $allowed ): arr\u003c\/span\u003e\n \t\t\t# * Ensure that the attribute is not namespaced by banning\n \t\t\t#   colons.\n \t\t\tif ( (\n\u003cspan class=\"gd\"\u003e-\t\t\t\t!preg_match( '\/^data-[^:]*$\/i', $attribute ) &&\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t!preg_match( '\/^data-[^: \\\/]*$\/i', $attribute ) &&\u003c\/span\u003e\n \t\t\t\t!array_key_exists( $attribute, $allowed )\n \t\t\t) || self::isReservedDataAttribute( $attribute ) ) {\n \t\t\t\tcontinue;\u003c\/pre\u003e\u003c\/div\u003e\n\n\u003cp\u003eTODO: I\u2019m sure there\u2019s a few more characters that can separate attributes; I remember seeing a list of them somewhere, maybe I can find it again.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_215\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fxebb5lcfhtwwjzw53vy\/PHID-FILE-cnwypocea7npe636h5ki\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/gui-ying233\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11056978\" id=\"11056978\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-pencil phui-timeline-icon\" data-meta=\"0_214\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/gui-ying233\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_68\"\u003egui-ying233\u003c\/a\u003e attached a referenced file: \u003ca href=\"\/F65709324\" class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_69\"\u003eF65709324: QQ_1754300067826.png\u003c\/a\u003e. \u003ca href=\"\/transactions\/detail\/PHID-XACT-TASK-akmmqoxemk7xitp\/\" data-sigil=\"workflow\"\u003e(Show Details)\u003c\/a\u003e\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056978\" data-sigil=\"has-tooltip\" data-meta=\"0_213\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 9:59 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 09:59:21 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_225\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/zgaghsadinsmyhw2sjbo\/PHID-FILE-mcjdula35r2psvh4k5fx\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/dragon-fish\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11056983\" id=\"11056983\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_224\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_70\"\u003edragon-fish\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003eEdited\u003cspan class=\"visual-only\" aria-hidden=\"true\"\u003e \u00b7 \u003c\/span\u003e\u003ca href=\"#11056983\" data-sigil=\"has-tooltip\" data-meta=\"0_223\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:01 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:01:38 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_221\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_222\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_71\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eNot enough, as far as I know, try \u003ctt class=\"remarkup-monospaced\"\u003e\/^data-[^:\\s\\\/<>]*$\/i\u003c\/tt\u003e\u003c\/p\u003e\n\n\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11056966\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_4\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11056966\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_5\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Lucas_Werkmeister_WMDE\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eWould something like this move in the direction of a fix?\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"diff\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e\u003cspan\u003e\u003c\/span\u003e\u003cspan class=\"gh\"\u003ediff --git i\/includes\/parser\/Sanitizer.php w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gh\"\u003eindex 2d6934bb93..a17a7e3c8d 100644\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e--- i\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+++ w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gu\"\u003e@@ -513,7 +513,7 @@ public static function validateAttributes( array $attribs, array $allowed ): arr\u003c\/span\u003e\n \t\t\t# * Ensure that the attribute is not namespaced by banning\n \t\t\t#   colons.\n \t\t\tif ( (\n\u003cspan class=\"gd\"\u003e-\t\t\t\t!preg_match( '\/^data-[^:]*$\/i', $attribute ) &&\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t!preg_match( '\/^data-[^: \/]*$\/i', $attribute ) &&\u003c\/span\u003e\n \t\t\t\t!array_key_exists( $attribute, $allowed )\n \t\t\t) || self::isReservedDataAttribute( $attribute ) ) {\n \t\t\t\tcontinue;\u003c\/pre\u003e\u003c\/div\u003e\n\n\u003cp\u003eTODO: I\u2019m sure there\u2019s a few more characters that can separate attributes; I remember seeing a list of them somewhere, maybe I can find it again.\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_234\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fxebb5lcfhtwwjzw53vy\/PHID-FILE-cnwypocea7npe636h5ki\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/gui-ying233\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11056987\" id=\"11056987\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_233\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/gui-ying233\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_72\"\u003egui-ying233\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056987\" data-sigil=\"has-tooltip\" data-meta=\"0_232\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:04 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:04:53 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_230\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_231\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_73\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eFYI: \u003ca href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/XSS_Filter_Evasion_Cheat_Sheet.html\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003eXSS Filter Evasion Cheat Sheet\u003c\/a\u003e\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_245\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_243\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_244\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11056988\" id=\"11056988\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_242\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_74\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056988\" data-sigil=\"has-tooltip\" data-meta=\"0_241\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:05 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:05:18 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_239\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_240\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_75\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003e\u003ctt class=\"remarkup-monospaced\"\u003eSanitizer::getAttribNameRegex()\u003c\/tt\u003e might come in useful; see also \u003ca href=\"https:\/\/html.spec.whatwg.org\/multipage\/syntax.html#attributes-2\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003eHTML 13.1.2.3 Attributes\u003c\/a\u003e. But I\u2019m also hoping that some of the Parser experts will chime in here soon.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_248\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/32ma7fpuzxevmzjow4hj\/PHID-FILE-ejkcs7pcsa3shp324bda\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/taavi\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11056992\" id=\"11056992\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-link phui-timeline-icon\" data-meta=\"0_247\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/taavi\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_76\"\u003etaavi\u003c\/a\u003e added a project: \u003ca href=\"\/tag\/mediawiki-parser\/\" class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_77\"\u003eMediaWiki-Parser\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11056992\" data-sigil=\"has-tooltip\" data-meta=\"0_246\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:11 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:11:54 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_260\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_258\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_259\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057074\" id=\"11057074\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_257\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_78\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003eEdited\u003cspan class=\"visual-only\" aria-hidden=\"true\"\u003e \u00b7 \u003c\/span\u003e\u003ca href=\"#11057074\" data-sigil=\"has-tooltip\" data-meta=\"0_256\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:39 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:39:22 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_254\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_255\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_79\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eHere\u2019s a slightly more thorough attempt at a fix, with the logic rewritten to hopefully be less confusing:\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"diff\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e\u003cspan\u003e\u003c\/span\u003e\u003cspan class=\"gh\"\u003ediff --git i\/includes\/parser\/Sanitizer.php w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gh\"\u003eindex 2d6934bb93..7f05035fa9 100644\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e--- i\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+++ w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gu\"\u003e@@ -507,15 +507,22 @@ public static function validateAttributes( array $attribs, array $allowed ): arr\u003c\/span\u003e\n \t\t\t\tcontinue;\n \t\t\t}\n \n\u003cspan class=\"gd\"\u003e-\t\t\t# Allow any attribute beginning with "data-"\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t# However:\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t# * Disallow data attributes used by MediaWiki code\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t# * Ensure that the attribute is not namespaced by banning\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t#   colons.\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\tif ( (\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t\t!preg_match( '\/^data-[^:]*$\/i', $attribute ) &&\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t\t!array_key_exists( $attribute, $allowed )\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t) || self::isReservedDataAttribute( $attribute ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\tif ( str_starts_with( strtolower( $attribute ), 'data-' ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow data attributes used by MediaWiki code\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\tif ( self::isReservedDataAttribute( $attribute ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\tcontinue;\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t}\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow namespaced attributes by banning colons\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\tif ( str_contains( $attribute, ':' ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\tcontinue;\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t}\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow invalid attribute name (T401099)\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\tif ( !preg_match( self::getAttribNameRegex(), $attribute ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\tcontinue;\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t}\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ allow any other valid attribute beginning with "data-"\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t} elseif ( !array_key_exists( $attribute, $allowed ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow all non-allowed non-data attributes\u003c\/span\u003e\n \t\t\t\tcontinue;\n \t\t\t}\n \n\u003cspan class=\"gh\"\u003ediff --git i\/tests\/phpunit\/includes\/parser\/SanitizerTest.php w\/tests\/phpunit\/includes\/parser\/SanitizerTest.php\u003c\/span\u003e\n\u003cspan class=\"gh\"\u003eindex 24b5acf140..dbb8eb71e2 100644\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e--- i\/tests\/phpunit\/includes\/parser\/SanitizerTest.php\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+++ w\/tests\/phpunit\/includes\/parser\/SanitizerTest.php\u003c\/span\u003e\n\u003cspan class=\"gu\"\u003e@@ -160,6 +160,24 @@ public static function provideValidateTagAttributes() {\u003c\/span\u003e\n \t\t\t\t[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],\n \t\t\t\t[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],\n \t\t\t],\n\u003cspan class=\"gi\"\u003e+\t\t\t[ 'div',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t[\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-wikitext' => 'wikitext',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'DATA-WIKITEXT-2' => 'WIKITEXT-2',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-mw' => 'disallow impersonating parsoid',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'DATA-mw' => 'disallow impersonating PARSOID',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-mw-extension' => 'disallow impersonating extension',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-:namespaced' => 'disallow namespace',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data- invalid' => 'disallow XSS',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-\/invalid' => 'disallow XSS',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data->invalid' => 'disallow XSS',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t],\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t[\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-wikitext' => 'wikitext',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'DATA-WIKITEXT-2' => 'WIKITEXT-2',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t# other attributes removed\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t]\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t],\u003c\/span\u003e\n \t\t];\n \t}\u003c\/pre\u003e\u003c\/div\u003e\n\n\u003cp\u003eI have \u003cstrong\u003enot\u003c\/strong\u003e yet run anything resembling a full test suite against this, only \u003ctt class=\"remarkup-monospaced\"\u003eSanitizerTest\u003c\/tt\u003e so far. We should definitely do that, given that we can\u2019t test this in CI but the fix has the potential to break existing wikitext.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_263\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/kdzx7a7qf2cj5da2yaxs\/PHID-FILE-di7i6lalpobcj7zcksct\/alphanumeric_lato-dark_U.png-_cdaede-0%2C0%2C0%2C0.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Urbanecm\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057078\" id=\"11057078\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_262\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Urbanecm\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_80\"\u003eUrbanecm\u003c\/a\u003e added a subscriber: \u003ca href=\"\/p\/OSleger-WMF\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_81\"\u003eOSleger-WMF\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057078\" data-sigil=\"has-tooltip\" data-meta=\"0_261\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:40 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:40:11 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_274\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_272\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_273\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057087\" id=\"11057087\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_271\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_82\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057087\" data-sigil=\"has-tooltip\" data-meta=\"0_270\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:45 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:45:18 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_268\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_269\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_83\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote\u003e\u003cp\u003eWe should definitely do that\u003c\/p\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eAnd by \u201cwe\u201d, I probably mean \u201csomebody else\u201d (someone from the Content Transform Team?), because apparently my local wiki is not set up for that (when I run \u003ctt class=\"remarkup-monospaced\"\u003ecomposer phpunit -- --testsuite parsertests\u003c\/tt\u003e, I get 20 failures and hundreds of errors, mostly \u201cperTestSetup is already done\u201d that I don\u2019t understand) :\/\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_283\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/zgaghsadinsmyhw2sjbo\/PHID-FILE-mcjdula35r2psvh4k5fx\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/dragon-fish\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057092\" id=\"11057092\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_282\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_84\"\u003edragon-fish\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057092\" data-sigil=\"has-tooltip\" data-meta=\"0_281\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:45 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:45:53 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_279\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_280\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_85\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eThe unit test does not cover the following cases:\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"text\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e{{ #tag: poem | poem | data-><\/div><script>alert(123)<\/script><div = }}\u003c\/pre\u003e\u003c\/div\u003e\n\n\n\n\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057074\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_6\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057074\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_7\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Lucas_Werkmeister_WMDE\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eHere\u2019s a slightly more thorough attempt at a fix, with the logic rewritten to hopefully be less confusing:\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"diff\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e\u003cspan\u003e\u003c\/span\u003e\u003cspan class=\"gh\"\u003ediff --git i\/includes\/parser\/Sanitizer.php w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gh\"\u003eindex 2d6934bb93..c87ec3964b 100644\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e--- i\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+++ w\/includes\/parser\/Sanitizer.php\u003c\/span\u003e\n\u003cspan class=\"gu\"\u003e@@ -507,15 +507,22 @@ public static function validateAttributes( array $attribs, array $allowed ): arr\u003c\/span\u003e\n \t\t\t\tcontinue;\n \t\t\t}\n \n\u003cspan class=\"gd\"\u003e-\t\t\t# Allow any attribute beginning with "data-"\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t# However:\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t# * Disallow data attributes used by MediaWiki code\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t# * Ensure that the attribute is not namespaced by banning\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t#   colons.\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\tif ( (\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t\t!preg_match( '\/^data-[^:]*$\/i', $attribute ) &&\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t\t!array_key_exists( $attribute, $allowed )\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e-\t\t\t) || self::isReservedDataAttribute( $attribute ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\tif ( str_starts_with( $attribute, 'data-' ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow data attributes used by MediaWiki code\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\tif ( self::isReservedDataAttribute( $attribute ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\tcontinue;\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t}\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow namespaced attributes by banning colons\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\tif ( str_contains( $attribute, ':' ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\tcontinue;\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t}\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow invalid attribute name (T401099)\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\tif ( !preg_match( self::getAttribNameRegex(), $attribute ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\tcontinue;\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t}\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ allow any other valid attribute beginning with "data-"\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t} elseif ( !array_key_exists( $attribute, $allowed ) ) {\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\/\/ disallow all non-allowed non-data attributes\u003c\/span\u003e\n \t\t\t\tcontinue;\n \t\t\t}\n \n\u003cspan class=\"gh\"\u003ediff --git i\/tests\/phpunit\/includes\/parser\/SanitizerTest.php w\/tests\/phpunit\/includes\/parser\/SanitizerTest.php\u003c\/span\u003e\n\u003cspan class=\"gh\"\u003eindex 24b5acf140..a8cb70e323 100644\u003c\/span\u003e\n\u003cspan class=\"gd\"\u003e--- i\/tests\/phpunit\/includes\/parser\/SanitizerTest.php\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+++ w\/tests\/phpunit\/includes\/parser\/SanitizerTest.php\u003c\/span\u003e\n\u003cspan class=\"gu\"\u003e@@ -160,6 +160,20 @@ public static function provideValidateTagAttributes() {\u003c\/span\u003e\n \t\t\t\t[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],\n \t\t\t\t[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],\n \t\t\t],\n\u003cspan class=\"gi\"\u003e+\t\t\t[ 'div',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t[\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-wikitext' => 'wikitext',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-mw' => 'disallow impersonating parsoid',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-mw-extension' => 'disallow impersonating extension',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-:namespaced' => 'disallow namespace',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data- invalid' => 'disallow XSS',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-\/invalid' => 'disallow XSS',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t],\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t[\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t'data-wikitext' => 'wikitext',\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t\t# other attributes removed\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t\t]\u003c\/span\u003e\n\u003cspan class=\"gi\"\u003e+\t\t\t],\u003c\/span\u003e\n \t\t];\n \t}\u003c\/pre\u003e\u003c\/div\u003e\n\n\u003cp\u003eI have \u003cstrong\u003enot\u003c\/strong\u003e yet run anything resembling a full test suite against this, only \u003ctt class=\"remarkup-monospaced\"\u003eSanitizerTest\u003c\/tt\u003e so far. We should definitely do that, given that we can\u2019t test this in CI but the fix has the potential to break existing wikitext.\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_294\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_292\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_293\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057119\" id=\"11057119\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_291\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_86\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057119\" data-sigil=\"has-tooltip\" data-meta=\"0_290\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:52 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:52:30 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_288\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_289\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_87\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057092\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_8\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057092\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_9\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@dragon-fish\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eThe unit test does not cover the following cases:\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"text\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e{{ #tag: poem | poem | data-><\/div><script>alert(123)<\/script><div = }}\u003c\/pre\u003e\u003c\/div\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eI updated the comment to cover that (and also add a \u003ctt class=\"remarkup-monospaced\"\u003estrtolower()\u003c\/tt\u003e to match the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e case-insensitively like the old code did, and add a test case for that). (At some point new versions should be posted as new comments instead, but right now I didn\u2019t feel like including that wall of text a second time.)\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell-removed phui-timeline-shell phui-timeline-grey\" data-sigil=\"transaction anchor-container\" data-meta=\"0_297\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fxebb5lcfhtwwjzw53vy\/PHID-FILE-cnwypocea7npe636h5ki\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/gui-ying233\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057120\" id=\"11057120\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill fill-has-color phui-timeline-icon-fill-grey\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-trash phui-timeline-icon\" data-meta=\"0_296\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/gui-ying233\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_88\"\u003egui-ying233\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057120\" data-sigil=\"has-tooltip\" data-meta=\"0_295\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:52 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:52:54 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"comment-deleted\" data-sigil=\"transaction-comment\" data-meta=\"0_89\"\u003eThis comment was removed by \u003ca href=\"\/p\/gui-ying233\/\" class=\"phui-handle phui-link-person\"\u003egui-ying233\u003c\/a\u003e.\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_300\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/w6styp4m7erojfy572qs\/PHID-FILE-3qzdluizj4vqc54l5wz2\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Clement_Goubert\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057121\" id=\"11057121\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_299\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Clement_Goubert\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_90\"\u003eClement_Goubert\u003c\/a\u003e added a subscriber: \u003ca href=\"\/p\/Jgiannelos\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_91\"\u003eJgiannelos\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057121\" data-sigil=\"has-tooltip\" data-meta=\"0_298\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 10:53 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 10:53:05 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_303\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/32ma7fpuzxevmzjow4hj\/PHID-FILE-ejkcs7pcsa3shp324bda\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/taavi\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057138\" id=\"11057138\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_302\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/taavi\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_92\"\u003etaavi\u003c\/a\u003e subscribed.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057138\" data-sigil=\"has-tooltip\" data-meta=\"0_301\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 11:04 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 11:04:22 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_306\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/2gffy5bww6ck2ynuxnpz\/PHID-FILE-jyvkjrrdy7c4mbtu7gb3\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/RhinosF1\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057150\" id=\"11057150\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_305\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/RhinosF1\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_93\"\u003eRhinosF1\u003c\/a\u003e added a subscriber: \u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_94\"\u003eSomeRandomDeveloper\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057150\" data-sigil=\"has-tooltip\" data-meta=\"0_304\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 11:10 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 11:10:04 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_309\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"display: none;\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057151\" id=\"11057151\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_308\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003cspan class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_95\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-lock lightgreytext\" data-meta=\"0_96\" aria-hidden=\"true\"\u003e\u003c\/span\u003eRestricted Application\u003c\/span\u003e added a subscriber: \u003ca href=\"\/p\/RhinosF1\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_97\"\u003eRhinosF1\u003c\/a\u003e. \u003cspan class=\"phui-timeline-extra-information\"\u003e \u00b7  \u003ca href=\"\/herald\/transcript\/6685251\/\"\u003eView Herald Transcript\u003c\/a\u003e\u003c\/span\u003e\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057151\" data-sigil=\"has-tooltip\" data-meta=\"0_307\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 11:10 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 11:10:06 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_319\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/2qdpkmhkhams73ycpez5\/PHID-FILE-jo3wcxilbadw2wxpcudw\/9b7d73-alphanumeric_lato-white_S.png-0%2C0%2C0%2C0.3.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/SomeRandomDeveloper\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057164\" id=\"11057164\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_318\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_98\"\u003eSomeRandomDeveloper\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003eEdited\u003cspan class=\"visual-only\" aria-hidden=\"true\"\u003e \u00b7 \u003c\/span\u003e\u003ca href=\"#11057164\" data-sigil=\"has-tooltip\" data-meta=\"0_317\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 11:19 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 11:19:09 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_315\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_316\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_99\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eNote that this issue appears to have been publicly disclosed in the code of the extension mentioned in the task description: \u003ca href=\"https:\/\/github.com\/moegirlwiki\/mediawiki-extension-MoeImgTag\/commit\/daec7111d39feb8befa3b7b155fef269e47c011b\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps:\/\/github.com\/moegirlwiki\/mediawiki-extension-MoeImgTag\/commit\/daec7111d39feb8befa3b7b155fef269e47c011b\u003c\/a\u003e\u003cbr \/\u003e\nTranslated version of some of the comments in the code:\u003cbr \/\u003e\n\u003cdiv class=\"phabricator-remarkup-embed-layout-left\"\u003e\u003ca href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/f7e4lg3hq4lxe6kwdhmo\/PHID-FILE-xtuxozwcaxgf3gkbifek\/image.png\" class=\"phabricator-remarkup-embed-image\" data-sigil=\"lightboxable\" data-meta=\"0_10\"\u003e\u003cimg src=\"https:\/\/phab.wmfusercontent.org\/file\/data\/fhirg7ubobgfpiktnzx3\/PHID-FILE-pogspcsxnwjq6pawca4j\/preview-image.png\" width=\"220\" height=\"128.46484935438\" alt=\"image.png (814\u00d71 px, 111 KB)\" \/\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/p\u003e\n\n\u003cp\u003eIt was also reported in a public channel by a user on the Miraheze discord server, but without any details or reproduction steps.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_328\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/2qdpkmhkhams73ycpez5\/PHID-FILE-jo3wcxilbadw2wxpcudw\/9b7d73-alphanumeric_lato-white_S.png-0%2C0%2C0%2C0.3.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/SomeRandomDeveloper\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057173\" id=\"11057173\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_327\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_100\"\u003eSomeRandomDeveloper\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057173\" data-sigil=\"has-tooltip\" data-meta=\"0_326\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 11:27 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 11:27:45 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_324\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_325\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_101\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057164\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_11\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057164\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_12\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@SomeRandomDeveloper\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eNote that this issue appears to have been publicly disclosed in the code of the extension mentioned in the task description: \u003ca href=\"https:\/\/github.com\/moegirlwiki\/mediawiki-extension-MoeImgTag\/commit\/daec7111d39feb8befa3b7b155fef269e47c011b\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps:\/\/github.com\/moegirlwiki\/mediawiki-extension-MoeImgTag\/commit\/daec7111d39feb8befa3b7b155fef269e47c011b\u003c\/a\u003e\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003e\u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_13\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@dragon-fish\u003c\/span\u003e\u003c\/a\u003e please remove this commit or any comments explaining the issue from the repository\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_337\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/byqpa2pjbgsi7hg3mmk5\/PHID-FILE-xyomd44xllz6jdjo6krf\/4f8ed0-alphanumeric_lato-dark_J.png-0%2C0%2C0%2C0.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Jgiannelos\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057217\" id=\"11057217\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_336\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Jgiannelos\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_102\"\u003eJgiannelos\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057217\" data-sigil=\"has-tooltip\" data-meta=\"0_335\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 11:52 AM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 11:52:24 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_333\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_334\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_103\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057119\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_15\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057119\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_17\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Lucas_Werkmeister_WMDE\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057092\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_14\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057092\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_16\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@dragon-fish\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eThe unit test does not cover the following cases:\u003c\/p\u003e\n\n\u003cdiv class=\"remarkup-code-block\" data-code-lang=\"text\" data-sigil=\"remarkup-code-block\"\u003e\u003cpre class=\"remarkup-code\"\u003e{{ #tag: poem | poem | data-><\/div><script>alert(123)<\/script><div = }}\u003c\/pre\u003e\u003c\/div\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eI updated the comment to cover that (and also add a \u003ctt class=\"remarkup-monospaced\"\u003estrtolower()\u003c\/tt\u003e to match the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e case-insensitively like the old code did, and add a test case for that). (At some point new versions should be posted as new comments instead, but right now I didn\u2019t feel like including that wall of text a second time.)\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eWould it make sense to escape the \u003ctt class=\"remarkup-monospaced\"\u003edata-{attr}\u003c\/tt\u003e name as well? Meanwhile I cherry picked the diff locally and running tests.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_348\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_346\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_347\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057247\" id=\"11057247\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_345\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_104\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057247\" data-sigil=\"has-tooltip\" data-meta=\"0_344\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:00 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:00:47 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_342\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_343\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_105\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057217\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_18\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057217\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Jgiannelos\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_19\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Jgiannelos\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eWould it make sense to escape the \u003ctt class=\"remarkup-monospaced\"\u003edata-{attr}\u003c\/tt\u003e name as well?\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eNot sure if that makes sense to do in this method\u2026 the combination of \u003ctt class=\"remarkup-monospaced\"\u003eself::getAttribNameRegex()\u003c\/tt\u003e + \u003ctt class=\"remarkup-monospaced\"\u003e$allowed\u003c\/tt\u003e should ensure that it\u2019s safe, right?\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cp\u003eMeanwhile I cherry picked the diff locally and running tests.\u003c\/p\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eThanks!\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_359\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_357\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_358\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057250\" id=\"11057250\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_356\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_106\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057250\" data-sigil=\"has-tooltip\" data-meta=\"0_355\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:04 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:04:03 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_353\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_354\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_107\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003e(Disclaimer: I have no idea how \u003ctt class=\"remarkup-monospaced\"\u003e{{#tag:}}\u003c\/tt\u003e, \u003ctt class=\"remarkup-monospaced\"\u003e{{#categorytree:}}\u003c\/tt\u003e, etc. end up calling this method; I don\u2019t know if it would be feasible to sanitize attribute names in those callers or in some shared place used by all of them.)\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_362\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057254\" id=\"11057254\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-link phui-timeline-icon\" data-meta=\"0_361\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_108\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a project: \u003ca href=\"\/tag\/vuln-xss\/\" class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_109\"\u003eVuln-XSS\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057254\" data-sigil=\"has-tooltip\" data-meta=\"0_360\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:04 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:04:54 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_371\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/2qdpkmhkhams73ycpez5\/PHID-FILE-jo3wcxilbadw2wxpcudw\/9b7d73-alphanumeric_lato-white_S.png-0%2C0%2C0%2C0.3.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/SomeRandomDeveloper\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057284\" id=\"11057284\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_370\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_110\"\u003eSomeRandomDeveloper\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057284\" data-sigil=\"has-tooltip\" data-meta=\"0_369\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:10 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:10:59 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_367\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_368\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_111\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057250\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_21\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057250\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_22\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Lucas_Werkmeister_WMDE\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003e(Disclaimer: I have no idea how \u003ctt class=\"remarkup-monospaced\"\u003e{{#tag:}}\u003c\/tt\u003e, \u003ctt class=\"remarkup-monospaced\"\u003e{{#categorytree:}}\u003c\/tt\u003e, etc. end up calling this method; I don\u2019t know if it would be feasible to sanitize attribute names in those callers or in some shared place used by all of them.)\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003e\u003ctt class=\"remarkup-monospaced\"\u003e{{#tag:}}\u003c\/tt\u003e doesn't call this method, the actual extension tag implementations do. For example, the \u003ctt class=\"remarkup-monospaced\"\u003e<pre>\u003c\/tt\u003e tag in core uses the method here: \u003ca href=\"https:\/\/gerrit.wikimedia.org\/g\/mediawiki\/core\/+\/6c67026d5cee755043b2bdd9db3b15ff761a3344\/includes\/parser\/CoreTagHooks.php#84\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps:\/\/gerrit.wikimedia.org\/g\/mediawiki\/core\/+\/6c67026d5cee755043b2bdd9db3b15ff761a3344\/includes\/parser\/CoreTagHooks.php#84\u003c\/a\u003e\u003cbr \/\u003e\nThough I'm not sure why it's possible to get a script tag from an attribute into the content of the element? Shouldn't Html::rawElement take care of this and escape attributes sufficiently, so that it's not possible to insert anything into the element's contents?\u003cbr \/\u003e\ne.g. \u003ctt class=\"remarkup-monospaced\"\u003e{{#tag:pre|test|data-><\/div><script>alert('pre')<\/script><div data-onclick=alert("pre")}}\u003c\/tt\u003e results in the following HTML:\u003cbr \/\u003e\n\u003cdiv class=\"phabricator-remarkup-embed-layout-left\"\u003e\u003ca href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/ioclari22iekk5b4hdke\/PHID-FILE-xuuiw3vqiycespnkungw\/image.png\" class=\"phabricator-remarkup-embed-image\" data-sigil=\"lightboxable\" data-meta=\"0_20\"\u003e\u003cimg src=\"https:\/\/phab.wmfusercontent.org\/file\/data\/f3kxnmayrketubad7tnn\/PHID-FILE-pszuifnhnjyk4zgypkek\/preview-image.png\" width=\"220\" height=\"88.709677419355\" alt=\"image.png (125\u00d7310 px, 13 KB)\" \/\u003e\u003c\/a\u003e\u003c\/div\u003e\u003cbr \/\u003e\nAnd this payload doesn't require clicking an element.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_382\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_380\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_381\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057309\" id=\"11057309\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_379\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_112\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057309\" data-sigil=\"has-tooltip\" data-meta=\"0_378\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:17 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:17:42 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_376\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_377\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_113\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eActually, I don\u2019t think there\u2019s any such thing as escaping an attribute name? E.g. \u003ctt class=\"remarkup-monospaced\"\u003e<p data-foobar="baz">\u003c\/tt\u003e just results in literal \u003ctt class=\"remarkup-monospaced\"\u003efoobar\u003c\/tt\u003e in the element\u2019s dataset, as far as I can tell.\u003c\/p\u003e\n\n\u003cp\u003eArguably the \u003ctt class=\"remarkup-monospaced\"\u003eHtml\u003c\/tt\u003e class should \u003cem\u003ereject\u003c\/em\u003e such attributes (at a performance cost, due to checking for this all the time). But I don\u2019t think there\u2019s a way in HTML for it to \u201cescape\u201d them \u201ccorrectly\u201d.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_385\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/247abt7phqlbitgglyxa\/PHID-FILE-tx36db6dprvfuxu72bcj\/alphanumeric_aleo-white_D.png-_ec9da1-0%2C0%2C0%2C0.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Daimona\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057321\" id=\"11057321\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_384\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Daimona\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_114\"\u003eDaimona\u003c\/a\u003e subscribed.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057321\" data-sigil=\"has-tooltip\" data-meta=\"0_383\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:19 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:19:54 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_394\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fwwz2ddroqkco424td5l\/PHID-FILE-ihw6dwrnsec5r7eupjqn\/aed0a0-alphanumeric_lato-white_F.png-0%2C0%2C0%2C0.3.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Func\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057334\" id=\"11057334\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_393\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Func\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_115\"\u003eFunc\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057334\" data-sigil=\"has-tooltip\" data-meta=\"0_392\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:25 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:25:11 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_390\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_391\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_116\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eI think we should also fix the \u003ca href=\"https:\/\/gerrit.wikimedia.org\/g\/mediawiki\/core\/+\/6c67026d5cee755043b2bdd9db3b15ff761a3344\/includes\/parser\/Sanitizer.php#1114\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003eSanitizer::safeEncodeTagAttributes\u003c\/a\u003e function, it's not as safe as it sounds, if at all.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_403\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/zgaghsadinsmyhw2sjbo\/PHID-FILE-mcjdula35r2psvh4k5fx\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/dragon-fish\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057357\" id=\"11057357\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_402\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_117\"\u003edragon-fish\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057357\" data-sigil=\"has-tooltip\" data-meta=\"0_401\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:34 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:34:50 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_399\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_400\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_118\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057173\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_24\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057173\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_27\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@SomeRandomDeveloper\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057164\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_23\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057164\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_25\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@SomeRandomDeveloper\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eNote that this issue appears to have been publicly disclosed in the code of the extension mentioned in the task description: \u003ca href=\"https:\/\/github.com\/moegirlwiki\/mediawiki-extension-MoeImgTag\/commit\/daec7111d39feb8befa3b7b155fef269e47c011b\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps:\/\/github.com\/moegirlwiki\/mediawiki-extension-MoeImgTag\/commit\/daec7111d39feb8befa3b7b155fef269e47c011b\u003c\/a\u003e\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003e\u003ca href=\"\/p\/dragon-fish\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_26\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@dragon-fish\u003c\/span\u003e\u003c\/a\u003e please remove this commit or any comments explaining the issue from the repository\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eDidn't realize it. The codes has been reverted.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_414\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_412\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_413\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057358\" id=\"11057358\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-link phui-timeline-icon\" data-meta=\"0_411\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_119\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a project: \u003ca href=\"\/tag\/patch-for-review\/\" class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_120\"\u003ePatch-For-Review\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057358\" data-sigil=\"has-tooltip\" data-meta=\"0_410\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:34 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:34:56 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_408\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_409\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_121\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eI formatted the diff from \u003ca href=\"\/T401099#11057074\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_28\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057074\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e as a patch that could be security-deployed, if code review is positive:\u003cbr \/\u003e\n\u003cdiv href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch\" target=\"_blank\" rel=\"noreferrer\" class=\"phabricator-remarkup-embed-layout-link \" data-sigil=\"lightboxable\" data-meta=\"0_29\" data-mustcapture=\"1\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-file-text-o phabricator-remarkup-embed-layout-icon\" data-meta=\"0_30\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info-block\"\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-name\"\u003e0001-SECURITY-Sanitize-data-attributes.patch\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info\"\u003e3 KB\u003c\/span\u003e\u003c\/span\u003e\u003ca class=\"phabricator-remarkup-embed-layout-download\" href=\"https:\/\/phab.wmfusercontent.org\/file\/download\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch\"\u003eDownload\u003c\/a\u003e\u003c\/div\u003e\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_423\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/2qdpkmhkhams73ycpez5\/PHID-FILE-jo3wcxilbadw2wxpcudw\/9b7d73-alphanumeric_lato-white_S.png-0%2C0%2C0%2C0.3.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/SomeRandomDeveloper\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057363\" id=\"11057363\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_422\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_122\"\u003eSomeRandomDeveloper\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057363\" data-sigil=\"has-tooltip\" data-meta=\"0_421\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 12:41 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 12:41:06 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_419\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_420\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_123\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057309\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_31\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057309\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_32\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Lucas_Werkmeister_WMDE\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eActually, I don\u2019t think there\u2019s any such thing as escaping an attribute name? E.g. \u003ctt class=\"remarkup-monospaced\"\u003e<p data-foobar="baz">\u003c\/tt\u003e just results in literal \u003ctt class=\"remarkup-monospaced\"\u003efoobar\u003c\/tt\u003e in the element\u2019s dataset, as far as I can tell.\u003c\/p\u003e\n\n\u003cp\u003eArguably the \u003ctt class=\"remarkup-monospaced\"\u003eHtml\u003c\/tt\u003e class should \u003cem\u003ereject\u003c\/em\u003e such attributes (at a performance cost, due to checking for this all the time). But I don\u2019t think there\u2019s a way in HTML for it to \u201cescape\u201d them \u201ccorrectly\u201d.\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eSince $attribs is marked as \u003ctt class=\"remarkup-monospaced\"\u003e @param-taint $attribs escapes_html\u003c\/tt\u003e, I would've assumed that everything is escaped, not only the values, and that it would be safe to supply any attribute name without being able to close the tag of the element. Either the documentation or the method should probably be updated to clarify this.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_432\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/byqpa2pjbgsi7hg3mmk5\/PHID-FILE-xyomd44xllz6jdjo6krf\/4f8ed0-alphanumeric_lato-dark_J.png-0%2C0%2C0%2C0.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Jgiannelos\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057455\" id=\"11057455\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_431\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Jgiannelos\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_124\"\u003eJgiannelos\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057455\" data-sigil=\"has-tooltip\" data-meta=\"0_430\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:15 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:15:27 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_428\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_429\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_125\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eSome comments for the patch:\u003c\/p\u003e\n\n\u003cul class=\"remarkup-list\"\u003e\n\u003cli class=\"remarkup-list-item\"\u003eI think that before, sanitizer will always continue when \u003ctt class=\"remarkup-monospaced\"\u003eself::isReservedDataAttribute\u003c\/tt\u003e here the check is only when it matches the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix\u003c\/li\u003e\n\u003cli class=\"remarkup-list-item\"\u003eIt probably makes sense this to be moved to a static function since its getting a bit more complicated (plus the phpdoc would clarify what's happening)\u003c\/li\u003e\n\u003cli class=\"remarkup-list-item\"\u003eYou could combine the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix check with the namespace (\u003ctt class=\"remarkup-monospaced\"\u003e:\u003c\/tt\u003e) check and the strtolower with a regex that is case insensitive and combines all requirements of the pattern\u003c\/li\u003e\n\u003c\/ul\u003e\n\n\u003cp\u003eRegarding testing, I run tests locally and I didn't get anything worrysome (other than some missing localization messages, which should be my env's issue)\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_443\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_441\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_442\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057474\" id=\"11057474\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_440\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_126\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057474\" data-sigil=\"has-tooltip\" data-meta=\"0_439\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:22 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:22:34 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_437\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_438\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_127\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057455\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_33\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057455\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Jgiannelos\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_34\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Jgiannelos\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eSome comments for the patch:\u003c\/p\u003e\n\n\u003cul class=\"remarkup-list\"\u003e\n\u003cli class=\"remarkup-list-item\"\u003eI think that before, sanitizer will always continue when \u003ctt class=\"remarkup-monospaced\"\u003eself::isReservedDataAttribute\u003c\/tt\u003e here the check is only when it matches the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix\u003c\/li\u003e\n\u003c\/ul\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eYes, but \u003ctt class=\"remarkup-monospaced\"\u003eisReservedDataAttribute()\u003c\/tt\u003e returns \u003ctt class=\"remarkup-monospaced\"\u003e(bool)preg_match( '\/^data-(ooui|mw|parsoid)\/i', $attr )\u003c\/tt\u003e, i.e. can only return true for a (case-insensitive) \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix as well \u2013 right?\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cul class=\"remarkup-list\"\u003e\n\u003cli class=\"remarkup-list-item\"\u003eIt probably makes sense this to be moved to a static function since its getting a bit more complicated (plus the phpdoc would clarify what's happening)\u003c\/li\u003e\n\u003c\/ul\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eMaybe, though I think I\u2019d at least make it private, not public. I\u2019m not sure what it would be called and what it would return. Perhaps \u003ctt class=\"remarkup-monospaced\"\u003eisAllowedAttribute()\u003c\/tt\u003e, returning boolean, and if it returns false then \u003ctt class=\"remarkup-monospaced\"\u003econtinue\u003c\/tt\u003e?\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cul class=\"remarkup-list\"\u003e\n\u003cli class=\"remarkup-list-item\"\u003eYou could combine the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix check with the namespace (\u003ctt class=\"remarkup-monospaced\"\u003e:\u003c\/tt\u003e) check and the strtolower with a regex that is case insensitive and combines all requirements of the pattern\u003c\/li\u003e\n\u003c\/ul\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eThat\u2019s what the old code did and I considered it unreadable :) (It didn\u2019t help that I wasn\u2019t sure if \u003ctt class=\"remarkup-monospaced\"\u003econtinue\u003c\/tt\u003e meant accepting or rejecting this attribute name.) I was hoping that the new logic, with fewer nested ands+ors and negations, would be easier to understand.\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cp\u003eRegarding testing, I run tests locally and I didn't get anything worrysome (other than some missing localization messages, which should be my env's issue)\u003c\/p\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eThanks!\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_454\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_452\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_453\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057483\" id=\"11057483\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_451\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_128\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057483\" data-sigil=\"has-tooltip\" data-meta=\"0_450\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:25 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:25:51 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_448\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_449\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_129\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003e(Or \u003ctt class=\"remarkup-monospaced\"\u003eisAllowedAttributeName()\u003c\/tt\u003e, given that we\u2019re not inspecting the value at that stage.)\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_464\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/6p2trpcntqjtlvakxda6\/PHID-FILE-wezkx3b7eyo34b6doywi\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/matmarex\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057487\" id=\"11057487\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-link phui-timeline-icon\" data-meta=\"0_462\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/matmarex\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_130\"\u003ematmarex\u003c\/a\u003e added a project: \u003ca href=\"\/tag\/content-transform-team\/\" class=\"phui-handle\" data-sigil=\"hovercard\" data-meta=\"0_131\"\u003eContent-Transform-Team\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057487\" data-sigil=\"has-tooltip\" data-meta=\"0_461\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:27 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:27:34 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_463\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/matmarex\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_133\"\u003ematmarex\u003c\/a\u003e subscribed.\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_459\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_460\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_132\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057358\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_36\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057358\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_39\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Lucas_Werkmeister_WMDE\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eI formatted the diff from \u003ca href=\"\/T401099#11057074\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_35\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057074\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e as a patch that could be security-deployed, if code review is positive:\u003cbr \/\u003e\n\u003cdiv href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch\" target=\"_blank\" rel=\"noreferrer\" class=\"phabricator-remarkup-embed-layout-link \" data-sigil=\"lightboxable\" data-meta=\"0_37\" data-mustcapture=\"1\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-file-text-o phabricator-remarkup-embed-layout-icon\" data-meta=\"0_38\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info-block\"\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-name\"\u003e0001-SECURITY-Sanitize-data-attributes.patch\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info\"\u003e3 KB\u003c\/span\u003e\u003c\/span\u003e\u003ca class=\"phabricator-remarkup-embed-layout-download\" href=\"https:\/\/phab.wmfusercontent.org\/file\/download\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch\"\u003eDownload\u003c\/a\u003e\u003c\/div\u003e\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eLooks good to me.\u003c\/p\u003e\n\n\u003cp\u003eIf I'm reading it right, this is equivalent to changing the character range in the regexp from \u003ctt class=\"remarkup-monospaced\"\u003e[^:]\u003c\/tt\u003e to \u003ctt class=\"remarkup-monospaced\"\u003e[_\\.\\-\\p{L}\\p{N}]\u003c\/tt\u003e. This is more restrictive than the suggestions posted earlier in this task. It may have impact on some wikitext pages, but we already applied the same validation rules in other places, so hopefully it won't break anything (someone from \u003ca href=\"\/tag\/content-transform-team\/\" class=\"phui-tag-view phui-tag-type-shade phui-tag-violet phui-tag-shade phui-tag-icon-view \" data-sigil=\"hovercard\" data-meta=\"0_41\"\u003e\u003cspan class=\"phui-tag-core \"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-users\" data-meta=\"0_40\" aria-hidden=\"true\"\u003e\u003c\/span\u003eContent-Transform-Team\u003c\/span\u003e\u003c\/a\u003e may wish to evaluate this later).\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_473\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fxebb5lcfhtwwjzw53vy\/PHID-FILE-cnwypocea7npe636h5ki\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/gui-ying233\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057522\" id=\"11057522\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user phui-timeline-icon\" data-meta=\"0_472\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/gui-ying233\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_134\"\u003egui-ying233\u003c\/a\u003e edited subscribers, added: \u003ca href=\"\/p\/AnnAngela\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_135\"\u003eAnnAngela\u003c\/a\u003e, \u003ca href=\"\/p\/Bhsd\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_136\"\u003eBhsd\u003c\/a\u003e, \u003ca href=\"\/p\/lihaohong\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_137\"\u003elihaohong\u003c\/a\u003e, \u003ca href=\"\/p\/hoshimi\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_138\"\u003ehoshimi\u003c\/a\u003e; removed: \u003ca href=\"\/p\/Daimona\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_139\"\u003eDaimona\u003c\/a\u003e, \u003ca href=\"\/p\/RhinosF1\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_140\"\u003eRhinosF1\u003c\/a\u003e, \u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_141\"\u003eSomeRandomDeveloper\u003c\/a\u003e, \u003ca href=\"\/p\/taavi\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_142\"\u003etaavi\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057522\" data-sigil=\"has-tooltip\" data-meta=\"0_471\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:31 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:31:32 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_469\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_470\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_143\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eAdded some friends who already knew and may be able to help with this vulnerability, since I assumed it was just an extension vulnerability.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_482\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/fwwz2ddroqkco424td5l\/PHID-FILE-ihw6dwrnsec5r7eupjqn\/aed0a0-alphanumeric_lato-white_F.png-0%2C0%2C0%2C0.3.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Func\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057543\" id=\"11057543\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_481\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Func\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_144\"\u003eFunc\u003c\/a\u003e added subscribers: \u003ca href=\"\/p\/Daimona\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_145\"\u003eDaimona\u003c\/a\u003e, \u003ca href=\"\/p\/RhinosF1\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_146\"\u003eRhinosF1\u003c\/a\u003e, \u003ca href=\"\/p\/SomeRandomDeveloper\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_147\"\u003eSomeRandomDeveloper\u003c\/a\u003e, \u003ca href=\"\/p\/taavi\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_148\"\u003etaavi\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057543\" data-sigil=\"has-tooltip\" data-meta=\"0_480\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:34 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:34:21 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_478\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_479\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_149\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003e(fix edit conflict(?) on subscribers)\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_491\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/byqpa2pjbgsi7hg3mmk5\/PHID-FILE-xyomd44xllz6jdjo6krf\/4f8ed0-alphanumeric_lato-dark_J.png-0%2C0%2C0%2C0.png)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Jgiannelos\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057579\" id=\"11057579\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_490\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Jgiannelos\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_150\"\u003eJgiannelos\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057579\" data-sigil=\"has-tooltip\" data-meta=\"0_489\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:52 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:52:57 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_487\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_488\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_151\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057474\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_43\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057474\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_45\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Lucas_Werkmeister_WMDE\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cblockquote class=\"remarkup-reply-block\"\u003e\n\u003cdiv class=\"remarkup-reply-head\"\u003eIn \u003ca href=\"\/T401099#11057455\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_42\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT401099#11057455\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e, \u003ca href=\"\/p\/Jgiannelos\/\" class=\"phui-tag-view phui-tag-type-person \" data-sigil=\"hovercard\" data-meta=\"0_44\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-person\"\u003e@Jgiannelos\u003c\/span\u003e\u003c\/a\u003e wrote:\u003c\/div\u003e\n\u003cdiv class=\"remarkup-reply-body\"\u003e\u003cp\u003eSome comments for the patch:\u003c\/p\u003e\n\n\u003cul class=\"remarkup-list\"\u003e\n\u003cli class=\"remarkup-list-item\"\u003eI think that before, sanitizer will always continue when \u003ctt class=\"remarkup-monospaced\"\u003eself::isReservedDataAttribute\u003c\/tt\u003e here the check is only when it matches the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix\u003c\/li\u003e\n\u003c\/ul\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eYes, but \u003ctt class=\"remarkup-monospaced\"\u003eisReservedDataAttribute()\u003c\/tt\u003e returns \u003ctt class=\"remarkup-monospaced\"\u003e(bool)preg_match( '\/^data-(ooui|mw|parsoid)\/i', $attr )\u003c\/tt\u003e, i.e. can only return true for a (case-insensitive) \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix as well \u2013 right?\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cul class=\"remarkup-list\"\u003e\n\u003cli class=\"remarkup-list-item\"\u003eIt probably makes sense this to be moved to a static function since its getting a bit more complicated (plus the phpdoc would clarify what's happening)\u003c\/li\u003e\n\u003c\/ul\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eMaybe, though I think I\u2019d at least make it private, not public. I\u2019m not sure what it would be called and what it would return. Perhaps \u003ctt class=\"remarkup-monospaced\"\u003eisAllowedAttribute()\u003c\/tt\u003e, returning boolean, and if it returns false then \u003ctt class=\"remarkup-monospaced\"\u003econtinue\u003c\/tt\u003e?\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cul class=\"remarkup-list\"\u003e\n\u003cli class=\"remarkup-list-item\"\u003eYou could combine the \u003ctt class=\"remarkup-monospaced\"\u003edata-\u003c\/tt\u003e prefix check with the namespace (\u003ctt class=\"remarkup-monospaced\"\u003e:\u003c\/tt\u003e) check and the strtolower with a regex that is case insensitive and combines all requirements of the pattern\u003c\/li\u003e\n\u003c\/ul\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eThat\u2019s what the old code did and I considered it unreadable :) (It didn\u2019t help that I wasn\u2019t sure if \u003ctt class=\"remarkup-monospaced\"\u003econtinue\u003c\/tt\u003e meant accepting or rejecting this attribute name.) I was hoping that the new logic, with fewer nested ands+ors and negations, would be easier to understand.\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cp\u003eRegarding testing, I run tests locally and I didn't get anything worrysome (other than some missing localization messages, which should be my env's issue)\u003c\/p\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eThanks!\u003c\/p\u003e\u003c\/div\u003e\n\u003c\/blockquote\u003e\n\n\u003cp\u003eOverall I agree about the previous logic being very difficult to follow lets move this to a function with the details documented. Other than that it looks OK to me as well.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_494\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-minor-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/w6styp4m7erojfy572qs\/PHID-FILE-3qzdluizj4vqc54l5wz2\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Clement_Goubert\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003ca name=\"11057588\" id=\"11057588\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-user-plus phui-timeline-icon\" data-meta=\"0_493\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Clement_Goubert\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_152\"\u003eClement_Goubert\u003c\/a\u003e added subscribers: \u003ca href=\"\/p\/ssastry\/\" class=\"phui-handle phui-link-person\"\u003essastry\u003c\/a\u003e, \u003ca href=\"\/p\/cscott\/\" class=\"phui-handle phui-link-person\"\u003ecscott\u003c\/a\u003e, \u003ca href=\"\/p\/MSantos\/\" class=\"phui-handle phui-link-person\"\u003eMSantos\u003c\/a\u003e and \u003ca href=\"\/subscriptions\/transaction\/add\/PHID-XACT-TASK-57hamsgbenofs26\/\" data-sigil=\"workflow\"\u003e2 others\u003c\/a\u003e.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057588\" data-sigil=\"has-tooltip\" data-meta=\"0_492\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 1:55 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 13:55:02 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_505\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_503\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_504\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057611\" id=\"11057611\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_502\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_153\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057611\" data-sigil=\"has-tooltip\" data-meta=\"0_501\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 2:02 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 14:02:32 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_499\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_500\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_154\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eAlright, here\u2019s a new version of the patch that uses a separate function. I think this actually makes it even more readable, by allowing us to remove the negation for the \u003ctt class=\"remarkup-monospaced\"\u003earray_key_exists( $attribute, $allowed )\u003c\/tt\u003e check (previously, we could only continue or fall through, but now we can explicitly return true if it \u003cem\u003eis\u003c\/em\u003e in that list).\u003c\/p\u003e\n\n\u003cp\u003e\u003cdiv href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/gxcfgqson22yuqcdwfhl\/PHID-FILE-5irbyefpvhozz7s2wt6s\/0001-SECURITY-Sanitize-data-attributes.patch\" target=\"_blank\" rel=\"noreferrer\" class=\"phabricator-remarkup-embed-layout-link \" data-sigil=\"lightboxable\" data-meta=\"0_46\" data-mustcapture=\"1\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-file-text-o phabricator-remarkup-embed-layout-icon\" data-meta=\"0_47\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info-block\"\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-name\"\u003e0001-SECURITY-Sanitize-data-attributes.patch\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info\"\u003e4 KB\u003c\/span\u003e\u003c\/span\u003e\u003ca class=\"phabricator-remarkup-embed-layout-download\" href=\"https:\/\/phab.wmfusercontent.org\/file\/download\/gxcfgqson22yuqcdwfhl\/PHID-FILE-5irbyefpvhozz7s2wt6s\/0001-SECURITY-Sanitize-data-attributes.patch\"\u003eDownload\u003c\/a\u003e\u003c\/div\u003e\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_515\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/z67mikd4lwdetm774u5v\/PHID-FILE-wzypambajaxwezctdezx\/profile-livejournal.jpg)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/cscott\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057645\" id=\"11057645\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_514\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/cscott\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_155\"\u003ecscott\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003eEdited\u003cspan class=\"visual-only\" aria-hidden=\"true\"\u003e \u00b7 \u003c\/span\u003e\u003ca href=\"#11057645\" data-sigil=\"has-tooltip\" data-meta=\"0_513\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 2:09 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 14:09:41 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_511\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_512\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_156\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eIdeally we should try to match the HTML5 rules for valid attribute characters, rather than use an adhoc regexp.  That said, being *more* restrictive than HTML5 is certainly better than being *less* restrictive.  We do have non-ASCII attribute names used legitimately by our projects, though -- see \u003ca href=\"\/T349310\" class=\"phui-tag-view phui-tag-type-object \" data-sigil=\"hovercard\" data-meta=\"0_48\"\u003e\u003cspan class=\"phui-tag-core-closed\"\u003e\u003cspan class=\"phui-tag-core phui-tag-color-object\"\u003eT349310\u003c\/span\u003e\u003c\/span\u003e\u003c\/a\u003e for an example (\u003ctt class=\"remarkup-monospaced\"\u003edata-\u0133\u003c\/tt\u003e).\u003c\/p\u003e\n\n\u003cp\u003eSee also \u003ca href=\"https:\/\/github.com\/whatwg\/dom\/issues\/849\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps:\/\/github.com\/whatwg\/dom\/issues\/849\u003c\/a\u003e for some more character set fun: the set of characters allowed in HTML parsed from a string is *not* the same as the "XML safe" set of characters allows by "the Name production in XML".  As specified in \u003ca href=\"https:\/\/github.com\/whatwg\/dom\/issues\/849#issuecomment-1007541209\" class=\"remarkup-link remarkup-link-ext\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps:\/\/github.com\/whatwg\/dom\/issues\/849#issuecomment-1007541209\u003c\/a\u003e:\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cp\u003eLenientElementNameStartChar := same as existing NameStartChar. (Parser only switches to tag name stage if given ASCII alpha as first character, so NameStartChar is more lenient than the parser.)\u003cbr \/\u003e\nLenientElementNameChar := anything exept tab, LF, CR, FF, space, \/, >, NULL.\u003c\/p\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003e[...]\u003c\/p\u003e\n\n\u003cblockquote\u003e\u003cp\u003eLenientAttributeNameStartChar := anything except tab, LF, CR, FF, space, \/, >, NULL. (R\u003cbr \/\u003e\nLenientAttributeNameChar := LenientAttributeNameStartChar but also exclude =\u003c\/p\u003e\u003c\/blockquote\u003e\n\n\u003cp\u003eIt appears that space \/ > are the primary characters to worry about, which were slipping through originally.  In particular, \u003ctt class=\"remarkup-monospaced\"\u003e[_\\.\\-\\p{L}\\p{N}]\u003c\/tt\u003e seems much stricter than needed, and it depends on Unicode revision as well which is not ideal.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_524\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/z67mikd4lwdetm774u5v\/PHID-FILE-wzypambajaxwezctdezx\/profile-livejournal.jpg)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/cscott\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057666\" id=\"11057666\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_523\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/cscott\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_157\"\u003ecscott\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057666\" data-sigil=\"has-tooltip\" data-meta=\"0_522\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 2:14 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 14:14:28 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_520\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_521\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_158\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eAlso note that Parsoid has its own copy of \u003ctt class=\"remarkup-monospaced\"\u003eSanitizer.php\u003c\/tt\u003e and the same patch should be applied there as well.\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-spacer\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-shell\" data-sigil=\"transaction anchor-container\" data-meta=\"0_535\"\u003e\u003cdiv class=\"phui-timeline-event-view phui-timeline-major-event\"\u003e\u003cdiv class=\"phui-timeline-content\"\u003e\u003ca style=\"background-image: url(https:\/\/phab.wmfusercontent.org\/file\/data\/g6ioxnnlsjzf64uutm3w\/PHID-FILE-xbztmssvk5tbukl46vxd\/profile)\" class=\"visual-only phui-timeline-image\" href=\"\/p\/Lucas_Werkmeister_WMDE\/\" aria-hidden=\"true\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-badges\"\u003e\u003cul class=\"phui-badge-flex-view grouped flex-view-collapsed \"\u003e\u003cli class=\"phui-badge-flex-item\"\u003e\u003ca class=\"phui-badge-mini phui-badge-mini-orange \" href=\"\/badges\/view\/5\/\" aria-label=\"Backport Deployer\" data-sigil=\"has-tooltip\" data-meta=\"0_533\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-rocket\" data-meta=\"0_534\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-wedge\" style=\"\"\u003e\u003c\/div\u003e\u003cdiv class=\"phui-timeline-group\"\u003e\u003cdiv class=\"phui-timeline-inner-content\"\u003e\u003ca name=\"11057671\" id=\"11057671\" class=\"phabricator-anchor-view\"\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-title phui-timeline-title-with-icon phui-timeline-title-with-menu\"\u003e\u003cspan class=\"phui-timeline-icon-fill\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-comment phui-timeline-icon\" data-meta=\"0_532\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/span\u003e\u003ca href=\"\/p\/Lucas_Werkmeister_WMDE\/\" class=\"phui-handle phui-link-person\" data-sigil=\"hovercard\" data-meta=\"0_159\"\u003eLucas_Werkmeister_WMDE\u003c\/a\u003e added a comment.\u003cspan class=\"phui-timeline-extra\"\u003e\u003ca href=\"#11057671\" data-sigil=\"has-tooltip\" data-meta=\"0_531\"\u003e\u003cspan class=\"screen-only\"\u003eAug 4 2025, 2:14 PM\u003c\/span\u003e\u003cspan class=\"print-only\" aria-hidden=\"true\"\u003e2025-08-04 14:14:56 (UTC+0)\u003c\/span\u003e\u003c\/a\u003e\u003c\/span\u003e\u003c\/div\u003e\u003ca href=\"#\" class=\"phui-timeline-menu\" aria-haspopup=\"true\" aria-expanded=\"false\" data-sigil=\"phui-dropdown-menu\" data-meta=\"0_529\"\u003e\u003cspan class=\"aural-only\"\u003eComment Actions\u003c\/span\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-caret-down\" data-meta=\"0_530\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003cdiv class=\"phui-timeline-core-content\"\u003e\u003cspan class=\"transaction-comment\" data-sigil=\"transaction-comment\" data-meta=\"0_160\"\u003e\u003cdiv class=\"phabricator-remarkup\"\u003e\u003cp\u003eSlightly improved version of the patch because I realized the phpdoc is confusing (we\u2019re checking \u003ctt class=\"remarkup-monospaced\"\u003e$allowed\u003c\/tt\u003e with \u003ctt class=\"remarkup-monospaced\"\u003earray_key_exists()\u003c\/tt\u003e, not \u003ctt class=\"remarkup-monospaced\"\u003ein_array()\u003c\/tt\u003e!):\u003c\/p\u003e\n\n\u003cp\u003e\u003cdiv href=\"https:\/\/phab.wmfusercontent.org\/file\/data\/rqcqtsoxxuzwb4vhrujx\/PHID-FILE-c647255tgl2tvcdq3axm\/0001-SECURITY-Sanitize-data-attributes.patch\" target=\"_blank\" rel=\"noreferrer\" class=\"phabricator-remarkup-embed-layout-link \" data-sigil=\"lightboxable\" data-meta=\"0_49\" data-mustcapture=\"1\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-file-text-o phabricator-remarkup-embed-layout-icon\" data-meta=\"0_50\" aria-hidden=\"true\"\u003e\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info-block\"\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-name\"\u003e0001-SECURITY-Sanitize-data-attributes.patch\u003c\/span\u003e\u003cspan class=\"phabricator-remarkup-embed-layout-info\"\u003e4 KB\u003c\/span\u003e\u003c\/span\u003e\u003ca class=\"phabricator-remarkup-embed-layout-download\" href=\"https:\/\/phab.wmfusercontent.org\/file\/download\/rqcqtsoxxuzwb4vhrujx\/PHID-FILE-c647255tgl2tvcdq3axm\/0001-SECURITY-Sanitize-data-attributes.patch\"\u003eDownload\u003c\/a\u003e\u003c\/div\u003e\u003c\/p\u003e\u003c\/div\u003e\u003c\/span\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e"},"javelin_metadata":[{"hovercardSpec":{"objectPHID":"PHID-USER-uygpjfint56k4v4g3tsi"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"phid":"PHID-FILE-x2g22ugr67y6gqpcmjsr","uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/nncat32jybyubdz7zcul\/PHID-FILE-x2g22ugr67y6gqpcmjsr\/QQ_1754300067826.png","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/nncat32jybyubdz7zcul\/PHID-FILE-x2g22ugr67y6gqpcmjsr\/QQ_1754300067826.png","alt":"QQ_1754300067826.png (244\u00d7896 px, 15 KB)","viewable":true,"monogram":"F65709324"},{"phid":"PHID-FILE-xjobcalia6ciwqavb5i6","uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/l4ltizripufnmepb4vpb\/PHID-FILE-xjobcalia6ciwqavb5i6\/QQ_1754300633592.png","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/l4ltizripufnmepb4vpb\/PHID-FILE-xjobcalia6ciwqavb5i6\/QQ_1754300633592.png","alt":"QQ_1754300633592.png (1\u00d73 px, 1 MB)","viewable":true,"monogram":"F65709448"},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"phid":"PHID-FILE-xtuxozwcaxgf3gkbifek","uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/f7e4lg3hq4lxe6kwdhmo\/PHID-FILE-xtuxozwcaxgf3gkbifek\/image.png","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/f7e4lg3hq4lxe6kwdhmo\/PHID-FILE-xtuxozwcaxgf3gkbifek\/image.png","alt":"image.png (814\u00d71 px, 111 KB)","viewable":true,"monogram":"F65710051"},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-gh6rbo243sqey47hasxq","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"phid":"PHID-FILE-xuuiw3vqiycespnkungw","uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/ioclari22iekk5b4hdke\/PHID-FILE-xuuiw3vqiycespnkungw\/image.png","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/ioclari22iekk5b4hdke\/PHID-FILE-xuuiw3vqiycespnkungw\/image.png","alt":"image.png (125\u00d7310 px, 13 KB)","viewable":true,"monogram":"F65710335"},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"phid":"PHID-FILE-lhmbtc6zekhirw4eu6dn","viewable":false,"uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch","name":"0001-SECURITY-Sanitize-data-attributes.patch","monogram":"F65710407","icon":"fa-file-text-o","size":"3 KB"},[],{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-gh6rbo243sqey47hasxq","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"phid":"PHID-FILE-lhmbtc6zekhirw4eu6dn","viewable":false,"uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/wdnvyfbniy2nso5yeduo\/PHID-FILE-lhmbtc6zekhirw4eu6dn\/0001-SECURITY-Sanitize-data-attributes.patch","name":"0001-SECURITY-Sanitize-data-attributes.patch","monogram":"F65710407","icon":"fa-file-text-o","size":"3 KB"},[],{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},[],{"hovercardSpec":{"objectPHID":"PHID-PROJ-wrgc3ksxzyc5l6lb4ou4"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-gh6rbo243sqey47hasxq","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc","contextPHID":"PHID-TASK-y2snm4t3y3c4ynykwk5h"}},{"phid":"PHID-FILE-5irbyefpvhozz7s2wt6s","viewable":false,"uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/gxcfgqson22yuqcdwfhl\/PHID-FILE-5irbyefpvhozz7s2wt6s\/0001-SECURITY-Sanitize-data-attributes.patch","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/gxcfgqson22yuqcdwfhl\/PHID-FILE-5irbyefpvhozz7s2wt6s\/0001-SECURITY-Sanitize-data-attributes.patch","name":"0001-SECURITY-Sanitize-data-attributes.patch","monogram":"F65710931","icon":"fa-file-text-o","size":"4 KB"},[],{"hovercardSpec":{"objectPHID":"PHID-TASK-sxo45druasckpv3xzvpm"}},{"phid":"PHID-FILE-c647255tgl2tvcdq3axm","viewable":false,"uri":"https:\/\/phab.wmfusercontent.org\/file\/data\/rqcqtsoxxuzwb4vhrujx\/PHID-FILE-c647255tgl2tvcdq3axm\/0001-SECURITY-Sanitize-data-attributes.patch","dUri":"https:\/\/phab.wmfusercontent.org\/file\/download\/rqcqtsoxxuzwb4vhrujx\/PHID-FILE-c647255tgl2tvcdq3axm\/0001-SECURITY-Sanitize-data-attributes.patch","name":"0001-SECURITY-Sanitize-data-attributes.patch","monogram":"F65710958","icon":"fa-file-text-o","size":"4 KB"},[],{"hovercardSpec":{"objectPHID":"PHID-APPS-PhabricatorHeraldApplication"}},[],{"hovercardSpec":{"objectPHID":"PHID-USER-hgn5uw2jafgjgfvxibhh"}},{"phid":"PHID-XACT-TASK-fvkri7viyxmp3nm"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od"}},{"phid":"PHID-XACT-TASK-wjozxusbzisyupl"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},[],{"hovercardSpec":{"objectPHID":"PHID-USER-uygpjfint56k4v4g3tsi"}},{"phid":"PHID-XACT-TASK-mry4ztnqhfftg4c"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"hovercardSpec":{"objectPHID":"PHID-TASK-w54fehtoknxo2cmfhgto"}},[],{"phid":"PHID-XACT-TASK-tu6yrgtiduwwakf"},{"hovercardSpec":{"objectPHID":"PHID-USER-uygpjfint56k4v4g3tsi"}},{"hovercardSpec":{"objectPHID":"PHID-FILE-x2g22ugr67y6gqpcmjsr"}},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od"}},{"phid":"PHID-XACT-TASK-bjsq4m2uzf5nvfi"},{"hovercardSpec":{"objectPHID":"PHID-USER-uygpjfint56k4v4g3tsi"}},{"phid":"PHID-XACT-TASK-2oinzprzec7f5ep"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-ql4plhb5v5ok63g"},{"hovercardSpec":{"objectPHID":"PHID-USER-mqhfa5y5f5tg6g3b5hui"}},{"hovercardSpec":{"objectPHID":"PHID-PROJ-4p5nyhzmlalosascubmw"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-2xrtrbydewss3au"},{"hovercardSpec":{"objectPHID":"PHID-USER-m5jpn3aks3txixuwk5pn"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hzl4yumxwoqiqh5e75on"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-kqju7qvwgulmd54"},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od"}},{"phid":"PHID-XACT-TASK-z5gx3jeih6k2jrt"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-nbjeyrkdcdh72sg"},{"hovercardSpec":{"objectPHID":"PHID-USER-uygpjfint56k4v4g3tsi"}},{"phid":"PHID-XACT-TASK-4eo7mi76mbaxaaq"},{"hovercardSpec":{"objectPHID":"PHID-USER-qhuuacgshfvnn2ngvwm2"}},{"hovercardSpec":{"objectPHID":"PHID-USER-gh6rbo243sqey47hasxq"}},{"hovercardSpec":{"objectPHID":"PHID-USER-mqhfa5y5f5tg6g3b5hui"}},{"hovercardSpec":{"objectPHID":"PHID-USER-2wquu5nwbdqcuzo5qiuf"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn"}},{"hovercardSpec":{"objectPHID":"PHID-APPS-PhabricatorHeraldApplication"}},[],{"hovercardSpec":{"objectPHID":"PHID-USER-2wquu5nwbdqcuzo5qiuf"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn"}},{"phid":"PHID-XACT-TASK-z46byibmha63hs6"},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn"}},{"phid":"PHID-XACT-TASK-36qmhvrqpgjblvc"},{"hovercardSpec":{"objectPHID":"PHID-USER-gh6rbo243sqey47hasxq"}},{"phid":"PHID-XACT-TASK-snygeixvg6w6glq"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-niz4uwzj5wu5grx"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-vtp3prcky46fi6i"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"hovercardSpec":{"objectPHID":"PHID-PROJ-tt6zkarjbtxn7lpnok5g"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn"}},{"phid":"PHID-XACT-TASK-m7fwxkxgrih6qgc"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-t37yehidp2krz6y"},{"hovercardSpec":{"objectPHID":"PHID-USER-hvywcttgalazbjxfl3tq"}},{"hovercardSpec":{"objectPHID":"PHID-USER-pl7srragnwltb6cc4j5l"}},{"phid":"PHID-XACT-TASK-7qngcsqlh3kzvrg"},{"hovercardSpec":{"objectPHID":"PHID-USER-77qmm2hjofbob233n3od"}},{"phid":"PHID-XACT-TASK-m3gf5yznk2rlewm"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"hovercardSpec":{"objectPHID":"PHID-PROJ-onnxucoedheq3jevknyr"}},{"phid":"PHID-XACT-TASK-n7nbylrd5jywjiq"},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn"}},{"phid":"PHID-XACT-TASK-4fwdgsccnozoooa"},{"hovercardSpec":{"objectPHID":"PHID-USER-gh6rbo243sqey47hasxq"}},{"phid":"PHID-XACT-TASK-6lto4sifhqwpffv"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-xxw5to74xkpao6m"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-patnvetsd4kcw2s"},{"hovercardSpec":{"objectPHID":"PHID-USER-wkpnidxoctuhawexig5p"}},{"hovercardSpec":{"objectPHID":"PHID-PROJ-wrgc3ksxzyc5l6lb4ou4"}},{"phid":"PHID-XACT-TASK-xp5g4gbkl4xkwpa"},{"hovercardSpec":{"objectPHID":"PHID-USER-wkpnidxoctuhawexig5p"}},{"hovercardSpec":{"objectPHID":"PHID-USER-uygpjfint56k4v4g3tsi"}},{"hovercardSpec":{"objectPHID":"PHID-USER-acmucbgewxw77nvydpot"}},{"hovercardSpec":{"objectPHID":"PHID-USER-ag253ew4j24mthbytkic"}},{"hovercardSpec":{"objectPHID":"PHID-USER-xpyr2htmdnixebdclhfh"}},{"hovercardSpec":{"objectPHID":"PHID-USER-j3ocyhtplssdqydlfpqj"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hvywcttgalazbjxfl3tq"}},{"hovercardSpec":{"objectPHID":"PHID-USER-2wquu5nwbdqcuzo5qiuf"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn"}},{"hovercardSpec":{"objectPHID":"PHID-USER-mqhfa5y5f5tg6g3b5hui"}},{"phid":"PHID-XACT-TASK-46gkp4kthzdz3qj"},{"hovercardSpec":{"objectPHID":"PHID-USER-pl7srragnwltb6cc4j5l"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hvywcttgalazbjxfl3tq"}},{"hovercardSpec":{"objectPHID":"PHID-USER-2wquu5nwbdqcuzo5qiuf"}},{"hovercardSpec":{"objectPHID":"PHID-USER-k6t6el3zj34nwh5n7ajn"}},{"hovercardSpec":{"objectPHID":"PHID-USER-mqhfa5y5f5tg6g3b5hui"}},{"phid":"PHID-XACT-TASK-gprwp575u2ik7ip"},{"hovercardSpec":{"objectPHID":"PHID-USER-gh6rbo243sqey47hasxq"}},{"phid":"PHID-XACT-TASK-shnsqhn7f36nazk"},{"hovercardSpec":{"objectPHID":"PHID-USER-qhuuacgshfvnn2ngvwm2"}},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-tznec27hmpqp575"},{"hovercardSpec":{"objectPHID":"PHID-USER-m2ezqyeb4uz67zq6bats"}},{"phid":"PHID-XACT-TASK-lg6wt44z4qkodiz"},{"hovercardSpec":{"objectPHID":"PHID-USER-m2ezqyeb4uz67zq6bats"}},{"phid":"PHID-XACT-TASK-hkq2x4c2owx3u3p"},{"hovercardSpec":{"objectPHID":"PHID-USER-hrcsuxxosiyjqpef64tc"}},{"phid":"PHID-XACT-TASK-tfcy3ai2b4wvrvx"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-m5cyepilcv7yel5","anchor":"11056862"},{"tip":"Via Herald"},[],{"phid":"PHID-XACT-TASK-bxmlsf3hkyovnlr","anchor":"11056872"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-fvkri7viyxmp3nm\/","ref":"T401099#11056905"},[],{"anchor":"11056905"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_1\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_167\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_168\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_3\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-fvkri7viyxmp3nm\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_169\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_170\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-fvkri7viyxmp3nm","anchor":"11056905"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-wjozxusbzisyupl\/","ref":"T401099#11056908"},[],{"anchor":"11056908"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_5\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_178\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_179\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_7\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-wjozxusbzisyupl\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_180\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_181\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-wjozxusbzisyupl","anchor":"11056908"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-6relcqubbpok3eh","anchor":"11056910"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-mry4ztnqhfftg4c\/","ref":"T401099#11056934"},[],{"anchor":"11056934"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_9\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_190\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_191\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_11\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-mry4ztnqhfftg4c\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_192\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_193\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-mry4ztnqhfftg4c","anchor":"11056934"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-tu6yrgtiduwwakf\/","ref":"T401099#11056966"},[],{"anchor":"11056966"},[],[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_13\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_199\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_200\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_15\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-tu6yrgtiduwwakf\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_201\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_202\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_17\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/history\/PHID-XACT-TASK-tu6yrgtiduwwakf\/\" class=\"phabricator-action-view-item\" data-sigil=\"workflow\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-list phabricator-action-view-icon\" data-meta=\"0_203\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Edit History\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],[],[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-6dhwcy3ujbp2j2b","anchor":"11056966"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-akmmqoxemk7xitp","anchor":"11056978"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-bjsq4m2uzf5nvfi\/","ref":"T401099#11056983"},[],{"anchor":"11056983"},[],[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_19\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_216\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_217\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_21\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-bjsq4m2uzf5nvfi\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_218\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_219\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_23\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/history\/PHID-XACT-TASK-bjsq4m2uzf5nvfi\/\" class=\"phabricator-action-view-item\" data-sigil=\"workflow\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-list phabricator-action-view-icon\" data-meta=\"0_220\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Edit History\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-bjsq4m2uzf5nvfi","anchor":"11056983"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-2oinzprzec7f5ep\/","ref":"T401099#11056987"},[],{"anchor":"11056987"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_25\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_226\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_227\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_27\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-2oinzprzec7f5ep\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_228\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_229\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-2oinzprzec7f5ep","anchor":"11056987"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-ql4plhb5v5ok63g\/","ref":"T401099#11056988"},[],{"anchor":"11056988"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_29\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_235\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_236\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_31\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-ql4plhb5v5ok63g\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_237\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_238\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-ql4plhb5v5ok63g","anchor":"11056988"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-77hvt7bslhnk4yt","anchor":"11056992"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-2xrtrbydewss3au\/","ref":"T401099#11057074"},[],{"anchor":"11057074"},[],[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_33\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_249\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_250\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_35\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-2xrtrbydewss3au\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_251\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_252\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_37\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/history\/PHID-XACT-TASK-2xrtrbydewss3au\/\" class=\"phabricator-action-view-item\" data-sigil=\"workflow\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-list phabricator-action-view-icon\" data-meta=\"0_253\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Edit History\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-2xrtrbydewss3au","anchor":"11057074"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-4ns7j5ic5zwimhq","anchor":"11057078"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-kqju7qvwgulmd54\/","ref":"T401099#11057087"},[],{"anchor":"11057087"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_39\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_264\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_265\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_41\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-kqju7qvwgulmd54\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_266\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_267\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-kqju7qvwgulmd54","anchor":"11057087"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-z5gx3jeih6k2jrt\/","ref":"T401099#11057092"},[],{"anchor":"11057092"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_43\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_275\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_276\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_45\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-z5gx3jeih6k2jrt\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_277\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_278\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-z5gx3jeih6k2jrt","anchor":"11057092"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-nbjeyrkdcdh72sg\/","ref":"T401099#11057119"},[],{"anchor":"11057119"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_47\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_284\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_285\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_49\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-nbjeyrkdcdh72sg\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_286\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_287\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-nbjeyrkdcdh72sg","anchor":"11057119"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-4eo7mi76mbaxaaq","anchor":"11057120"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-s6x4p6nvx5cf736","anchor":"11057121"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-nsjnimpeloe7vp5","anchor":"11057138"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-mi5wyk2vq2vgfjk","anchor":"11057150"},{"tip":"Via Herald"},[],{"phid":"PHID-XACT-TASK-pq534666whjy7zn","anchor":"11057151"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-z46byibmha63hs6\/","ref":"T401099#11057164"},[],{"anchor":"11057164"},[],[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_51\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_310\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_311\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_53\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-z46byibmha63hs6\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_312\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_313\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_55\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/history\/PHID-XACT-TASK-z46byibmha63hs6\/\" class=\"phabricator-action-view-item\" data-sigil=\"workflow\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-list phabricator-action-view-icon\" data-meta=\"0_314\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Edit History\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-z46byibmha63hs6","anchor":"11057164"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-36qmhvrqpgjblvc\/","ref":"T401099#11057173"},[],{"anchor":"11057173"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_57\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_320\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_321\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_59\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-36qmhvrqpgjblvc\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_322\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_323\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-36qmhvrqpgjblvc","anchor":"11057173"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-snygeixvg6w6glq\/","ref":"T401099#11057217"},[],{"anchor":"11057217"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_61\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_329\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_330\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_63\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-snygeixvg6w6glq\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_331\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_332\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-snygeixvg6w6glq","anchor":"11057217"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-niz4uwzj5wu5grx\/","ref":"T401099#11057247"},[],{"anchor":"11057247"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_65\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_338\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_339\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_67\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-niz4uwzj5wu5grx\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_340\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_341\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-niz4uwzj5wu5grx","anchor":"11057247"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-vtp3prcky46fi6i\/","ref":"T401099#11057250"},[],{"anchor":"11057250"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_69\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_349\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_350\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_71\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-vtp3prcky46fi6i\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_351\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_352\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-vtp3prcky46fi6i","anchor":"11057250"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-56xivopdhqvvpy3","anchor":"11057254"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-m7fwxkxgrih6qgc\/","ref":"T401099#11057284"},[],{"anchor":"11057284"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_73\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_363\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_364\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_75\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-m7fwxkxgrih6qgc\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_365\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_366\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-m7fwxkxgrih6qgc","anchor":"11057284"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-t37yehidp2krz6y\/","ref":"T401099#11057309"},[],{"anchor":"11057309"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_77\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_372\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_373\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_79\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-t37yehidp2krz6y\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_374\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_375\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-t37yehidp2krz6y","anchor":"11057309"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-i37ekkzyakg44tp","anchor":"11057321"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-7qngcsqlh3kzvrg\/","ref":"T401099#11057334"},[],{"anchor":"11057334"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_81\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_386\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_387\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_83\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-7qngcsqlh3kzvrg\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_388\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_389\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-7qngcsqlh3kzvrg","anchor":"11057334"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-m3gf5yznk2rlewm\/","ref":"T401099#11057357"},[],{"anchor":"11057357"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_85\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_395\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_396\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_87\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-m3gf5yznk2rlewm\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_397\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_398\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-m3gf5yznk2rlewm","anchor":"11057357"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-n7nbylrd5jywjiq\/","ref":"T401099#11057358"},[],{"anchor":"11057358"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_89\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_404\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_405\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_91\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-n7nbylrd5jywjiq\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_406\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_407\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-7z5s46hnyygedaf","anchor":"11057358"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-4fwdgsccnozoooa\/","ref":"T401099#11057363"},[],{"anchor":"11057363"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_93\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_415\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_416\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_95\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-4fwdgsccnozoooa\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_417\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_418\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-4fwdgsccnozoooa","anchor":"11057363"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-6lto4sifhqwpffv\/","ref":"T401099#11057455"},[],{"anchor":"11057455"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_97\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_424\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_425\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_99\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-6lto4sifhqwpffv\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_426\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_427\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-6lto4sifhqwpffv","anchor":"11057455"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-xxw5to74xkpao6m\/","ref":"T401099#11057474"},[],{"anchor":"11057474"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_101\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_433\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_434\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_103\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-xxw5to74xkpao6m\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_435\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_436\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-xxw5to74xkpao6m","anchor":"11057474"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-patnvetsd4kcw2s\/","ref":"T401099#11057483"},[],{"anchor":"11057483"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_105\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_444\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_445\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_107\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-patnvetsd4kcw2s\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_446\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_447\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-patnvetsd4kcw2s","anchor":"11057483"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-xp5g4gbkl4xkwpa\/","ref":"T401099#11057487"},[],{"anchor":"11057487"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_109\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_455\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_456\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_111\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-xp5g4gbkl4xkwpa\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_457\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_458\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],[],{"phid":"PHID-XACT-TASK-z3psahhqvh6isui","anchor":"11057487"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-46gkp4kthzdz3qj\/","ref":"T401099#11057522"},[],{"anchor":"11057522"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_113\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_465\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_466\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_115\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-46gkp4kthzdz3qj\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_467\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_468\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-i5vme7l3dltna37","anchor":"11057522"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-gprwp575u2ik7ip\/","ref":"T401099#11057543"},[],{"anchor":"11057543"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_117\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_474\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_475\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_119\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-gprwp575u2ik7ip\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_476\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_477\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-d6r3yp77u57dajo","anchor":"11057543"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-shnsqhn7f36nazk\/","ref":"T401099#11057579"},[],{"anchor":"11057579"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_121\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_483\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_484\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_123\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-shnsqhn7f36nazk\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_485\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_486\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-shnsqhn7f36nazk","anchor":"11057579"},{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-57hamsgbenofs26","anchor":"11057588"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-tznec27hmpqp575\/","ref":"T401099#11057611"},[],{"anchor":"11057611"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_125\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_495\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_496\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_127\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-tznec27hmpqp575\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_497\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_498\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-tznec27hmpqp575","anchor":"11057611"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-lg6wt44z4qkodiz\/","ref":"T401099#11057645"},[],{"anchor":"11057645"},[],[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_129\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_506\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_507\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_131\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-lg6wt44z4qkodiz\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_508\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_509\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_133\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/history\/PHID-XACT-TASK-lg6wt44z4qkodiz\/\" class=\"phabricator-action-view-item\" data-sigil=\"workflow\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-list phabricator-action-view-icon\" data-meta=\"0_510\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Edit History\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-lg6wt44z4qkodiz","anchor":"11057645"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-hkq2x4c2owx3u3p\/","ref":"T401099#11057666"},[],{"anchor":"11057666"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_135\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_516\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_517\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_137\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-hkq2x4c2owx3u3p\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_518\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_519\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"phid":"PHID-XACT-TASK-hkq2x4c2owx3u3p","anchor":"11057666"},{"targetID":"UQ0_1","uri":"\/transactions\/quote\/PHID-XACT-TASK-tfcy3ai2b4wvrvx\/","ref":"T401099#11057671"},[],{"anchor":"11057671"},[],{"items":"\u003cul class=\"phabricator-action-list-view \"\u003e\u003cli id=\"UQ0_139\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"#\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-quote\" data-meta=\"0_525\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-quote-left phabricator-action-view-icon\" data-meta=\"0_526\" aria-hidden=\"true\"\u003e\u003c\/span\u003eQuote Comment\u003c\/a\u003e\u003c\/li\u003e\u003cli id=\"UQ0_141\" class=\"phabricator-action-view phabricator-action-view-href action-has-icon\" style=\"\"\u003e\u003ca href=\"\/transactions\/raw\/PHID-XACT-TASK-tfcy3ai2b4wvrvx\/\" class=\"phabricator-action-view-item\" data-sigil=\"transaction-raw\" data-meta=\"0_527\"\u003e\u003cspan class=\"visual-only phui-icon-view phui-font-fa fa-code phabricator-action-view-icon\" data-meta=\"0_528\" aria-hidden=\"true\"\u003e\u003c\/span\u003eView Raw Remarkup\u003c\/a\u003e\u003c\/li\u003e\u003c\/ul\u003e"},[],{"tip":"Via Web"},[],{"tip":"Backport Deployer","align":"E","size":300},[],{"phid":"PHID-XACT-TASK-tfcy3ai2b4wvrvx","anchor":"11057671"}],"javelin_behaviors":{"phui-hovercards":[],"phabricator-watch-anchor":[],"phabricator-tooltips":[],"phui-dropdown-menu":[]},"javelin_resources":["https:\/\/phab.wmfusercontent.org\/res\/defaultX\/phabricator\/dad1a225\/core.pkg.js","https:\/\/phab.wmfusercontent.org\/res\/defaultX\/phabricator\/98e6504a\/rsrc\/externals\/javelin\/core\/init.js","https:\/\/phab.wmfusercontent.org\/res\/defaultX\/phabricator\/61fbbcf7\/core.pkg.css","https:\/\/phab.wmfusercontent.org\/res\/defaultX\/phabricator\/aa49028c\/rsrc\/css\/phui\/phui-badge.css"]}