* Regular expression to match HTML/XML attribute pairs within a tag.
* Allows some... latitude.
* Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes
+ * @return string
*/
static function getAttribsRegex() {
if ( self::$attribsRegex === null ) {
* - Invalid id attributes are re-encoded
*
* @param array $attribs
- * @param array $whitelist list of allowed attribute names
+ * @param array $whitelist List of allowed attribute names
* @return array
*
* @todo Check for legal values where the DTD limits things.
* @return string
*/
static function checkCss( $value ) {
- global $wgDisallowedCss;
-
// Decode character references like {
$value = Sanitizer::decodeCharReferences( $value );
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
- } else {
- if ( $wgDisallowedCss ) {
- if ( preg_match( $wgDisallowedCss, $value ) ) {
- return '/* insecure input */';
- }
- }
+ } elseif ( preg_match(
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
+ return '/* insecure input */';
}
return $value;
}
* @see http://www.whatwg.org/html/elements.html#the-id-attribute
* HTML5 definition of id attribute
*
- * @param string $id id to escape
+ * @param string $id Id to escape
* @param string|array $options String or array of strings (default is array()):
* 'noninitial': This is a non-initial fragment of an id, not a full id,
* so don't pay attention if the first character isn't valid at the
* attribs regex matches.
*
* @param array $set
- * @throws MWException when tag conditions are not met.
+ * @throws MWException When tag conditions are not met.
* @return string
*/
private static function getTagAttributeCallback( $set ) {