X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fparser%2FCoreTagHooks.php;h=d17860078112b2c91ce6773bfcc552c9ef2bea0a;hb=352854ee0f82758e9c0fce2b8f44cfe01de9150d;hp=c943b7c98637b59c0ef9783e9211d4e848f8cd1e;hpb=e968a1f431ad058dcb14adb2757bde5664b99a79;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/parser/CoreTagHooks.php b/includes/parser/CoreTagHooks.php
index c943b7c986..d178600781 100644
--- a/includes/parser/CoreTagHooks.php
+++ b/includes/parser/CoreTagHooks.php
@@ -46,6 +46,10 @@ class CoreTagHooks {
 	 * Text is treated roughly as 'nowiki' wrapped in an HTML 'pre' tag;
 	 * valid HTML attributes are passed on.
 	 *
+	 * Uses custom html escaping which phan-taint-check won't recognize
+	 * hence we suppress the error.
+	 * @suppress SecurityCheck-XSS
+	 *
 	 * @param string $text
 	 * @param array $attribs
 	 * @param Parser $parser
@@ -75,16 +79,30 @@ class CoreTagHooks {
 	 *
 	 * Uses undocumented extended tag hook return values, introduced in r61913.
 	 *
+	 * @suppress SecurityCheck-XSS
 	 * @param string $content
 	 * @param array $attributes
 	 * @param Parser $parser
 	 * @throws MWException
-	 * @return array
+	 * @return array|string Output of tag hook
 	 */
 	public static function html( $content, $attributes, $parser ) {
 		global $wgRawHtml;
 		if ( $wgRawHtml ) {
-			return [ $content, 'markerType' => 'nowiki' ];
+			if ( $parser->getOptions()->getAllowUnsafeRawHtml() ) {
+				return [ $content, 'markerType' => 'nowiki' ];
+			} else {
+				// In a system message where raw html is
+				// not allowed (but it is allowed in other
+				// contexts).
+				return Html::rawElement(
+					'span',
+					[ 'class' => 'error' ],
+					// Using ->text() not ->parse() as
+					// a paranoia measure against a loop.
+					wfMessage( 'rawhtml-notallowed' )->escaped()
+				);
+			}
 		} else {
 			throw new MWException( '<html> extension tag encountered unexpectedly' );
 		}
@@ -97,6 +115,10 @@ class CoreTagHooks {
 	 *
 	 * Uses undocumented extended tag hook return values, introduced in r61913.
 	 *
+	 * Uses custom html escaping which phan-taint-check won't recognize
+	 * hence we suppress the error.
+	 * @suppress SecurityCheck-XSS
+	 *
 	 * @param string $content
 	 * @param array $attributes
 	 * @param Parser $parser