dépôts
/
lhc
/
web
/
wiklou.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
resourceloader: Remove top/bottom queue distinction
[lhc/web/wiklou.git]
/
includes
/
Sanitizer.php
diff --git
a/includes/Sanitizer.php
b/includes/Sanitizer.php
index
8f1fc99
..
44e4e3e
100644
(file)
--- a/
includes/Sanitizer.php
+++ b/
includes/Sanitizer.php
@@
-41,7
+41,7
@@
class Sanitizer {
/**
* Acceptable tag name charset from HTML5 parsing spec
/**
* Acceptable tag name charset from HTML5 parsing spec
- * http://www.w3.org/TR/html5/syntax.html#tag-open-state
+ * http
s
://www.w3.org/TR/html5/syntax.html#tag-open-state
*/
const ELEMENT_BITS_REGEX = '!^(/?)([A-Za-z][^\t\n\v />\0]*+)([^>]*?)(/?>)([^<]*)$!';
*/
const ELEMENT_BITS_REGEX = '!^(/?)([A-Za-z][^\t\n\v />\0]*+)([^>]*?)(/?>)([^<]*)$!';
@@
-58,7
+58,7
@@
class Sanitizer {
/**
* List of all named character entities defined in HTML 4.01
/**
* List of all named character entities defined in HTML 4.01
- * http://www.w3.org/TR/html4/sgml/entities.html
+ * http
s
://www.w3.org/TR/html4/sgml/entities.html
* As well as ' which is only defined starting in XHTML1.
*/
private static $htmlEntities = [
* As well as ' which is only defined starting in XHTML1.
*/
private static $htmlEntities = [
@@
-333,7
+333,7
@@
class Sanitizer {
/**
* Regular expression to match HTML/XML attribute pairs within a tag.
* Allows some... latitude. Based on,
/**
* Regular expression to match HTML/XML attribute pairs within a tag.
* Allows some... latitude. Based on,
- * http://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
+ * http
s
://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
* Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes
* @return string
*/
* Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes
* @return string
*/
@@
-1015,6
+1015,7
@@
class Sanitizer {
| url\s*\(
| image\s*\(
| image-set\s*\(
| url\s*\(
| image\s*\(
| image-set\s*\(
+ | attr\s*\([^)]+[\s,]+url
!ix', $value ) ) {
return '/* insecure input */';
}
!ix', $value ) ) {
return '/* insecure input */';
}
@@
-1148,11
+1149,11
@@
class Sanitizer {
* ambiguous if it's part of something that looks like a percent escape
* (which don't work reliably in fragments cross-browser).
*
* ambiguous if it's part of something that looks like a percent escape
* (which don't work reliably in fragments cross-browser).
*
- * @see http://www.w3.org/TR/html401/types.html#type-name Valid characters
+ * @see http
s
://www.w3.org/TR/html401/types.html#type-name Valid characters
* in the id and name attributes
* in the id and name attributes
- * @see http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with
+ * @see http
s
://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with
* the id attribute
* the id attribute
- * @see http
://www.whatwg.org/html/elements
.html#the-id-attribute
+ * @see http
s://www.w3.org/TR/html5/dom
.html#the-id-attribute
* HTML5 definition of id attribute
*
* @param string $id Id to escape
* HTML5 definition of id attribute
*
* @param string $id Id to escape
@@
-1238,7
+1239,7
@@
class Sanitizer {
*
* @todo For extra validity, input should be validated UTF-8.
*
*
* @todo For extra validity, input should be validated UTF-8.
*
- * @see http://www.w3.org/TR/CSS21/syndata.html Valid characters/format
+ * @see http
s
://www.w3.org/TR/CSS21/syndata.html Valid characters/format
*
* @param string $class
* @return string
*
* @param string $class
* @return string
@@
-1351,7
+1352,7
@@
class Sanitizer {
} elseif ( !isset( $set[2] ) ) {
# In XHTML, attributes must have a value so return an empty string.
# See "Empty attribute syntax",
} elseif ( !isset( $set[2] ) ) {
# In XHTML, attributes must have a value so return an empty string.
# See "Empty attribute syntax",
- # http://www.w3.org/TR/html5/syntax.html#syntax-attribute-name
+ # http
s
://www.w3.org/TR/html5/syntax.html#syntax-attribute-name
return "";
} else {
throw new MWException( "Tag conditions not met. This should never happen and is a bug." );
return "";
} else {
throw new MWException( "Tag conditions not met. This should never happen and is a bug." );
@@
-1621,7
+1622,7
@@
class Sanitizer {
# RDFa
# These attributes are specified in section 9 of
# RDFa
# These attributes are specified in section 9 of
- # http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
+ # http
s
://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
'about',
'property',
'resource',
'about',
'property',
'resource',
@@
-1629,7
+1630,7
@@
class Sanitizer {
'typeof',
# Microdata. These are specified by
'typeof',
# Microdata. These are specified by
- # http
://www.whatwg.org/html
/microdata.html#the-microdata-model
+ # http
s://html.spec.whatwg.org/multipage
/microdata.html#the-microdata-model
'itemid',
'itemprop',
'itemref',
'itemid',
'itemprop',
'itemref',
@@
-1653,7
+1654,7
@@
class Sanitizer {
];
# Numbers refer to sections in HTML 4.01 standard describing the element.
];
# Numbers refer to sections in HTML 4.01 standard describing the element.
- # See: http://www.w3.org/TR/html4/
+ # See: http
s
://www.w3.org/TR/html4/
$whitelist = [
# 7.5.4
'div' => $block,
$whitelist = [
# 7.5.4
'div' => $block,
@@
-1700,7
+1701,7
@@
class Sanitizer {
# 9.3.2
'br' => array_merge( $common, [ 'clear' ] ),
# 9.3.2
'br' => array_merge( $common, [ 'clear' ] ),
- # http
://www.whatwg.org/html
/text-level-semantics.html#the-wbr-element
+ # http
s://www.w3.org/TR/html5
/text-level-semantics.html#the-wbr-element
'wbr' => $common,
# 9.3.4
'wbr' => $common,
# 9.3.4
@@
-1775,7
+1776,7
@@
class Sanitizer {
'hr' => array_merge( $common, [ 'width' ] ),
# HTML Ruby annotation text module, simple ruby only.
'hr' => array_merge( $common, [ 'width' ] ),
# HTML Ruby annotation text module, simple ruby only.
- # http
://www.whatwg.org/html
/text-level-semantics.html#the-ruby-element
+ # http
s://www.w3.org/TR/html5
/text-level-semantics.html#the-ruby-element
'ruby' => $common,
# rbc
'rb' => $common,
'ruby' => $common,
# rbc
'rb' => $common,
@@
-1785,14
+1786,14
@@
class Sanitizer {
# MathML root element, where used for extensions
# 'title' may not be 100% valid here; it's XHTML
# MathML root element, where used for extensions
# 'title' may not be 100% valid here; it's XHTML
- # http://www.w3.org/TR/REC-MathML/
+ # http
s
://www.w3.org/TR/REC-MathML/
'math' => [ 'class', 'style', 'id', 'title' ],
# HTML 5 section 4.6
'bdi' => $common,
# HTML5 elements, defined by:
'math' => [ 'class', 'style', 'id', 'title' ],
# HTML 5 section 4.6
'bdi' => $common,
# HTML5 elements, defined by:
- # http
://www.whatwg.org/html/
+ # http
s://html.spec.whatwg.org/multipage/semantics.html#the-data-element
'data' => array_merge( $common, [ 'value' ] ),
'time' => array_merge( $common, [ 'datetime' ] ),
'mark' => $common,
'data' => array_merge( $common, [ 'value' ] ),
'time' => array_merge( $common, [ 'datetime' ] ),
'mark' => $common,
@@
-1867,7
+1868,7
@@
class Sanitizer {
list( /* $whole */, $protocol, $host, $rest ) = $matches;
// Characters that will be ignored in IDNs.
list( /* $whole */, $protocol, $host, $rest ) = $matches;
// Characters that will be ignored in IDNs.
- // http
://tools.ietf.org/html/
3454#section-3.1
+ // http
s://tools.ietf.org/html/rfc
3454#section-3.1
// Strip them before further processing so blacklists and such work.
$strip = "/
\\s| # general whitespace
// Strip them before further processing so blacklists and such work.
$strip = "/
\\s| # general whitespace