Occasionally its useful to pass trusted data to javascript using data attributes on elements that you know is not from the user. In the past, there has been security issues from using the data attribute for information that is assumed to be trusted, but in reality could be messed with by the user. (T58699, T105413)
We already reserve data-ooui (by reserve, I mean blacklist in the sanitizer). But it feels wrong to use that for parts of mw that are not ooui. I would like to propose that we reserve data-mw- prefix as well for general usage by mediawiki/extensions (By which I mean that any attribute starting with data-mw-, would be blocked by the sanitizer. Thus if a user writes on a wikipage <span data-mw-foo="bar"></span>, the data-mw-foo attribute would be stripped). Thus if javascript sees such an attribute, it can know for sure that the value is not direct untrusted user-input. Anyone have any objections to doing this? Bikeshed now about the choice of name for the prefix, or forever hold your peace ;) -- -bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
