[MediaWiki-commits] [Gerrit] (Bug 52940): Pass through parsoid-inserted attrs in sanitizer - change (mediawiki...Parsoid)

Subramanya Sastry (Code Review) Wed, 28 Aug 2013 13:36:44 -0700

Subramanya Sastry has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/81569



Change subject: (Bug 52940): Pass through parsoid-inserted attrs in sanitizer
......................................................................

(Bug 52940): Pass through parsoid-inserted attrs in sanitizer

* Till now, the sanitizer had a hack for the typeof attribute
  to pass them through. Plus, any html tags that were not in
  the whitelist had their about attributes stripped as well.

  This works well for templates, regular wikitext and extensions
  that generate HTML tags in the whitelist.  However, for
  extensions like <timeline> which generates the <map> html
  tag, the about attribute was getting stripped.

* Given that we now escape Parsoid-mimicking attributes, it is
  safe to let through all typeof and about attributes that have
  Parsoid-generated values.

  This fixes the parse output for the timeline extension (see
  example below).

* TODO: Add a parser test for this.  Might require putzing with
  mockAPI.js -- will work on it in a separate patch.

-------------------------
<timeline>

ImageSize  = width:160 height:550
PlotArea   = left:50 right:0 bottom:10 top:10
AlignBars  = justify

DateFormat = yyyy
Period     = from:1919 till:1991
TimeAxis   = orientation:vertical
ScaleMajor = unit:year increment:5 start:1920

Define $dx = 25 # shift text to right side of bar

PlotData=
  bar:Leaders color:red width:25 mark:(line,white) align:left fontsize:S

  from:start till:1922 shift:($dx,15)   text:Vladimir~Ilyich~[[Lenin]]
  from:1922  till:1953 shift:($dx,5)    text:[[Stalin|Josef~Stalin]]
  from:1953  till:1964 shift:($dx,5)    text:Nikita~[[Khrushchev]]
  from:1964  till:1982 shift:($dx,5)    text:Leonid~[[Brezhnev]]
  from:1982  till:1984 shift:($dx,-12)  text:Yuri~[[Andropov]]
  from:1984  till:1985 shift:($dx,4)    text:Konstantin~[[Chernenko]] 
fontsize:XS
  from:1985  till:end  shift:($dx,10)   text:Mikhail~[[Gorbachev]]
</timeline>
-------------------------

Change-Id: Ice20289f71fdb47c671deb9bd331032a48bb0e1e
---
M js/lib/ext.core.Sanitizer.js
1 file changed, 18 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Parsoid 
refs/changes/69/81569/1

diff --git a/js/lib/ext.core.Sanitizer.js b/js/lib/ext.core.Sanitizer.js
index 64425e7..cc6691c 100644
--- a/js/lib/ext.core.Sanitizer.js
+++ b/js/lib/ext.core.Sanitizer.js
@@ -903,6 +903,11 @@
        return id;
 };
 
+Sanitizer.prototype.isParsoidInsertedAttr = function(k, v) {
+       return k === "typeof" && /\bmw:.*?\b/.test(v) ||
+               k === "about" && /^#mwt\d+/.test(v);
+}
+
 Sanitizer.prototype.sanitizeTagAttrs = function(newToken, attrs) {
        var tag       = newToken.name;
        var allowRdfa = this.constants.globalConfig.allowRdfaAttrs;
@@ -924,7 +929,15 @@
 
                //console.warn('k = ' + k + '; v = ' + v);
 
-               // allow XML namespace declaration if RDFa is enabled
+               // Allow Parsoid-generated typeof and about tags
+               // since we recognize all Parsoid-mimicing typeof/about
+               // and escape them.
+               if (this.isParsoidInsertedAttr(k, v)) {
+                       newAttrs[k] = [v, origV, origK];
+                       continue;
+               }
+
+               // Allow XML namespace declaration if RDFa is enabled
                if (allowRdfa && k.match(xmlnsRE)) {
                        if (!v.match(evilUriRE)) {
                                newAttrs[k] = [v, origV, origK];
@@ -934,14 +947,10 @@
                        continue;
                }
 
-               // SSS FIXME: Temporary hack to let wrapped extension tags 
through
-               // so that they can be unwrapped.
-               if (k !== 'typeof') {
-                       // Allow any attribute beginning with "data-", if in 
HTML5 mode
-                       if (!(html5Mode && k.match(/^data-/i)) && wlist[k] !== 
true) {
-                               newAttrs[k] = [null, origV, origK];
-                               continue;
-                       }
+               // Allow any attribute beginning with "data-", if in HTML5 mode
+               if (!(html5Mode && k.match(/^data-/i)) && wlist[k] !== true) {
+                       newAttrs[k] = [null, origV, origK];
+                       continue;
                }
 
                // Strip javascript "expression" from stylesheets.

-- 
To view, visit https://gerrit.wikimedia.org/r/81569
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ice20289f71fdb47c671deb9bd331032a48bb0e1e
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Parsoid
Gerrit-Branch: master
Gerrit-Owner: Subramanya Sastry <ssas...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] (Bug 52940): Pass through parsoid-inserted attrs in sanitizer - change (mediawiki...Parsoid)

Reply via email to