includes/OutputHandler.php

   1 <?php
   2 /**
   3  * Functions to be used with PHP's output buffer
   4  *
   5  * @file
   6  */
   7
   8 /**
   9  * Standard output handler for use with ob_start
  10  *
  11  * @param $s string
  12  *
  13  * @return string
  14  */
  15 function wfOutputHandler( $s ) {
  16         global $wgDisableOutputCompression, $wgValidateAllHtml;
  17         $s = wfMangleFlashPolicy( $s );
  18         if ( $wgValidateAllHtml ) {
  19                 $headers = apache_response_headers();
  20                 $isHTML = true;
  21                 foreach ( $headers as $name => $value ) {
  22                         if ( strtolower( $name ) == 'content-type' && strpos( $value, 'text/html' ) === false && strpos( $value, 'application/xhtml+xml' ) === false ) {
  23                                 $isHTML = false;
  24                                 break;
  25                         }
  26                 }
  27                 if ( $isHTML ) {
  28                         $s = wfHtmlValidationHandler( $s );
  29                 }
  30         }
  31         if ( !$wgDisableOutputCompression && !ini_get( 'zlib.output_compression' ) ) {
  32                 if ( !defined( 'MW_NO_OUTPUT_COMPRESSION' ) ) {
  33                         $s = wfGzipHandler( $s );
  34                 }
  35                 if ( !ini_get( 'output_handler' ) ) {
  36                         wfDoContentLength( strlen( $s ) );
  37                 }
  38         }
  39         return $s;
  40 }
  41
  42 /**
  43  * Get the "file extension" that some client apps will estimate from
  44  * the currently-requested URL.
  45  * This isn't on WebRequest because we need it when things aren't initialized
  46  * @private
  47  *
  48  * @return string
  49  */
  50 function wfRequestExtension() {
  51         /// @todo FIXME: this sort of dupes some code in WebRequest::getRequestUrl()
  52         if( isset( $_SERVER['REQUEST_URI'] ) ) {
  53                 // Strip the query string...
  54                 list( $path ) = explode( '?', $_SERVER['REQUEST_URI'], 2 );
  55         } elseif( isset( $_SERVER['SCRIPT_NAME'] ) ) {
  56                 // Probably IIS. QUERY_STRING appears separately.
  57                 $path = $_SERVER['SCRIPT_NAME'];
  58         } else {
  59                 // Can't get the path from the server? :(
  60                 return '';
  61         }
  62
  63         $period = strrpos( $path, '.' );
  64         if( $period !== false ) {
  65                 return strtolower( substr( $path, $period ) );
  66         }
  67         return '';
  68 }
  69
  70 /**
  71  * Handler that compresses data with gzip if allowed by the Accept header.
  72  * Unlike ob_gzhandler, it works for HEAD requests too.
  73  *
  74  * @param $s string
  75  *
  76  * @return string
  77  */
  78 function wfGzipHandler( $s ) {
  79         if( !function_exists( 'gzencode' ) || headers_sent() ) {
  80                 return $s;
  81         }
  82
  83         $ext = wfRequestExtension();
  84         if( $ext == '.gz' || $ext == '.tgz' ) {
  85                 // Don't do gzip compression if the URL path ends in .gz or .tgz
  86                 // This confuses Safari and triggers a download of the page,
  87                 // even though it's pretty clearly labeled as viewable HTML.
  88                 // Bad Safari! Bad!
  89                 return $s;
  90         }
  91
  92         if( wfClientAcceptsGzip() ) {
  93                 header( 'Content-Encoding: gzip' );
  94                 $s = gzencode( $s, 6 );
  95         }
  96
  97         // Set vary header if it hasn't been set already
  98         $headers = headers_list();
  99         $foundVary = false;
 100         foreach ( $headers as $header ) {
 101                 if ( substr( $header, 0, 5 ) == 'Vary:' ) {
 102                         $foundVary = true;
 103                         break;
 104                 }
 105         }
 106         if ( !$foundVary ) {
 107                 header( 'Vary: Accept-Encoding' );
 108                 global $wgUseXVO;
 109                 if ( $wgUseXVO ) {
 110                         header( 'X-Vary-Options: Accept-Encoding;list-contains=gzip' );
 111                 }
 112         }
 113         return $s;
 114 }
 115
 116 /**
 117  * Mangle flash policy tags which open up the site to XSS attacks.
 118  *
 119  * @param $s string
 120  *
 121  * @return string
 122  */
 123 function wfMangleFlashPolicy( $s ) {
 124         # Avoid weird excessive memory usage in PCRE on big articles
 125         if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $s ) ) {
 126                 return preg_replace( '/\<\s*cross-domain-policy\s*\>/i', '<NOT-cross-domain-policy>', $s );
 127         } else {
 128                 return $s;
 129         }
 130 }
 131
 132 /**
 133  * Add a Content-Length header if possible. This makes it cooperate with squid better.
 134  *
 135  * @param $length int
 136  */
 137 function wfDoContentLength( $length ) {
 138         if ( !headers_sent() && $_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.0' ) {
 139                 header( "Content-Length: $length" );
 140         }
 141 }
 142
 143 /**
 144  * Replace the output with an error if the HTML is not valid
 145  *
 146  * @param $s string
 147  *
 148  * @return string
 149  */
 150 function wfHtmlValidationHandler( $s ) {
 151
 152         $errors = '';
 153         if ( MWTidy::checkErrors( $s, $errors ) ) {
 154                 return $s;
 155         }
 156
 157         header( 'Cache-Control: no-cache' );
 158
 159         $out = <<<EOT
 160 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 161 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
 162 <head>
 163 <title>HTML validation error</title>
 164 <style>
 165 .highlight { background-color: #ffc }
 166 li { white-space: pre }
 167 </style>
 168 </head>
 169 <body>
 170 <h1>HTML validation error</h1>
 171 <ul>
 172 EOT;
 173
 174         $error = strtok( $errors, "\n" );
 175         $badLines = array();
 176         while ( $error !== false ) {
 177                 if ( preg_match( '/^line (\d+)/', $error, $m ) ) {
 178                         $lineNum = intval( $m[1] );
 179                         $badLines[$lineNum] = true;
 180                         $out .= "<li><a href=\"#line-{$lineNum}\">" . htmlspecialchars( $error ) . "</a></li>\n";
 181                 }
 182                 $error = strtok( "\n" );
 183         }
 184
 185         $out .= '</ul>';
 186         $out .= '<pre>' . htmlspecialchars( $errors ) . '</pre>';
 187         $out .= "<ol>\n";
 188         $line = strtok( $s, "\n" );
 189         $i = 1;
 190         while ( $line !== false ) {
 191                 if ( isset( $badLines[$i] ) ) {
 192                         $out .= "<li class=\"highlight\" id=\"line-$i\">";
 193                 } else {
 194                         $out .= '<li>';
 195                 }
 196                 $out .= htmlspecialchars( $line ) . "</li>\n";
 197                 $line = strtok( "\n" );
 198                 $i++;
 199         }
 200         $out .= '</ol></body></html>';
 201         return $out;
 202 }