Add $wgUserHtml option; set to false to disable use of user-supplied HTML

in wiki markup. Note that <nowiki>, <pre>, <math> etc are counted as wiki
markup. That <pre> looks like HTML's <pre> is a coincidence; they behave
differently (<pre> also disables other wiki markup like <nowiki> does).

Also, escape the <math> tag when $wgUseTeX is off.

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index ba13146..a9383a1 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -368,6 +368,10 @@ $wgSpamRegex = false;
 # Go button goes straight to the edit screen if the article doesn't exist
 $wgGoToEdit = false;
 
+# Allow limited user-specified HTML?
+# It will be run through a whitelist for security.
+$wgUserHtml = true;
+
 # Optional: use tidy to make sure the output is sane, switch on by setting $wgUseTidy = true;
 $wgUseTidy = false;
 $wgTidyBin = 'tidy';

diff --git a/includes/Parser.php b/includes/Parser.php
index 9efab38..b5924c7 100644 (file)
--- a/includes/Parser.php
+++ b/includes/Parser.php
@@ -220,8 +220,12 @@ class Parser
 
                $text = Parser::extractTags("math", $text, $math_content, $uniq_prefix);
                foreach( $math_content as $marker => $content ){
-                       if( $render && $this->mOptions->getUseTeX() ){
-                               $math_content[$marker] = renderMath( $content );
+                       if( $render ) {
+                               if( $this->mOptions->getUseTeX() ) {
+                                       $math_content[$marker] = renderMath( $content );
+                               } else {
+                                       $math_content[$marker] = "<math>$content<math>";
+                               }
                        } else {
                                $math_content[$marker] = "<math>$content</math>";
                        }
@@ -1540,26 +1544,34 @@ class Parser
        # Cleans up HTML, removes dangerous tags and attributes
        /* private */ function removeHTMLtags( $text )
        {
-               global $wgUseTidy;
+               global $wgUseTidy, $wgUserHtml;
                $fname = "Parser::removeHTMLtags";
                wfProfileIn( $fname );
-               $htmlpairs = array( # Tags that must be closed
-                       "b", "del", "i", "ins", "u", "font", "big", "small", "sub", "sup", "h1",
-                       "h2", "h3", "h4", "h5", "h6", "cite", "code", "em", "s",
-                       "strike", "strong", "tt", "var", "div", "center",
-                       "blockquote", "ol", "ul", "dl", "table", "caption", "pre",
-                       "ruby", "rt" , "rb" , "rp", "p"
-               );
-               $htmlsingle = array(
-                       "br", "hr", "li", "dt", "dd"
-               );
-               $htmlnest = array( # Tags that can be nested--??
-                       "table", "tr", "td", "th", "div", "blockquote", "ol", "ul",
-                       "dl", "font", "big", "small", "sub", "sup"
-               );
-               $tabletags = array( # Can only appear inside table
-                       "td", "th", "tr"
-               );
+               
+               if( $wgUserHtml ) {
+                       $htmlpairs = array( # Tags that must be closed
+                               "b", "del", "i", "ins", "u", "font", "big", "small", "sub", "sup", "h1",
+                               "h2", "h3", "h4", "h5", "h6", "cite", "code", "em", "s",
+                               "strike", "strong", "tt", "var", "div", "center",
+                               "blockquote", "ol", "ul", "dl", "table", "caption", "pre",
+                               "ruby", "rt" , "rb" , "rp", "p"
+                       );
+                       $htmlsingle = array(
+                               "br", "hr", "li", "dt", "dd"
+                       );
+                       $htmlnest = array( # Tags that can be nested--??
+                               "table", "tr", "td", "th", "div", "blockquote", "ol", "ul",
+                               "dl", "font", "big", "small", "sub", "sup"
+                       );
+                       $tabletags = array( # Can only appear inside table
+                               "td", "th", "tr"
+                       );
+               } else {
+                       $htmlpairs = array();
+                       $htmlsingle = array();
+                       $htmlnest = array();
+                       $tabletags = array();
+               }
 
                $htmlsingle = array_merge( $tabletags, $htmlsingle );
                $htmlelements = array_merge( $htmlsingle, $htmlpairs );