dépôts
/
lhc
/
web
/
wiklou.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
ApiLogin: Don't try to add block info if there's no block
[lhc/web/wiklou.git]
/
includes
/
Sanitizer.php
diff --git
a/includes/Sanitizer.php
b/includes/Sanitizer.php
index
ddaf1b2
..
c02bdc9
100644
(file)
--- a/
includes/Sanitizer.php
+++ b/
includes/Sanitizer.php
@@
-349,9
+349,6
@@
class Sanitizer {
\"([^<\"]*)\"
| '([^<']*)'
| ([a-zA-Z0-9!#$%&()*,\\-.\\/:;<>?@[\\]^_`{|}~]+)
\"([^<\"]*)\"
| '([^<']*)'
| ([a-zA-Z0-9!#$%&()*,\\-.\\/:;<>?@[\\]^_`{|}~]+)
- | (\#[0-9a-fA-F]+) # Technically wrong, but lots of
- # colors are specified like this.
- # We'll be normalizing it.
)
)?(?=$space|\$)/sx";
}
)
)?(?=$space|\$)/sx";
}
@@
-966,7
+963,8
@@
class Sanitizer {
$value = self::normalizeCss( $value );
// Reject problematic keywords and control characters
$value = self::normalizeCss( $value );
// Reject problematic keywords and control characters
- if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
+ if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ||
+ strpos( $value, UtfNormal\Constants::UTF8_REPLACEMENT ) !== false ) {
return '/* invalid control char */';
} elseif ( preg_match(
'! expression
return '/* invalid control char */';
} elseif ( preg_match(
'! expression
@@
-1263,10
+1261,7
@@
class Sanitizer {
* @return string
*/
private static function getTagAttributeCallback( $set ) {
* @return string
*/
private static function getTagAttributeCallback( $set ) {
- if ( isset( $set[6] ) ) {
- # Illegal #XXXXXX color with no quotes.
- return $set[6];
- } elseif ( isset( $set[5] ) ) {
+ if ( isset( $set[5] ) ) {
# No quotes.
return $set[5];
} elseif ( isset( $set[4] ) ) {
# No quotes.
return $set[5];
} elseif ( isset( $set[4] ) ) {
@@
-1276,9
+1271,10
@@
class Sanitizer {
# Double-quoted
return $set[3];
} elseif ( !isset( $set[2] ) ) {
# Double-quoted
return $set[3];
} elseif ( !isset( $set[2] ) ) {
- # In XHTML, attributes must have a value.
- # For 'reduced' form, return explicitly the attribute name here.
- return $set[1];
+ # In XHTML, attributes must have a value so return an empty string.
+ # See "Empty attribute syntax",
+ # http://www.w3.org/TR/html5/syntax.html#syntax-attribute-name
+ return "";
} else {
throw new MWException( "Tag conditions not met. This should never happen and is a bug." );
}
} else {
throw new MWException( "Tag conditions not met. This should never happen and is a bug." );
}
@@
-1398,15
+1394,19
@@
class Sanitizer {
}
/**
}
/**
- * Returns true if a given Unicode codepoint is a valid character in XML.
+ * Returns true if a given Unicode codepoint is a valid character in
+ * both HTML5 and XML.
* @param int $codepoint
* @return bool
*/
private static function validateCodepoint( $codepoint ) {
* @param int $codepoint
* @return bool
*/
private static function validateCodepoint( $codepoint ) {
+ # U+000C is valid in HTML5 but not allowed in XML.
+ # U+000D is valid in XML but not allowed in HTML5.
+ # U+007F - U+009F are disallowed in HTML5 (control characters).
return $codepoint == 0x09
|| $codepoint == 0x0a
return $codepoint == 0x09
|| $codepoint == 0x0a
- ||
$codepoint == 0x0d
- || ( $codepoint >= 0x
2
0 && $codepoint <= 0xd7ff )
+ ||
( $codepoint >= 0x20 && $codepoint <= 0x7e )
+ || ( $codepoint >= 0x
a
0 && $codepoint <= 0xd7ff )
|| ( $codepoint >= 0xe000 && $codepoint <= 0xfffd )
|| ( $codepoint >= 0x10000 && $codepoint <= 0x10ffff );
}
|| ( $codepoint >= 0xe000 && $codepoint <= 0xfffd )
|| ( $codepoint >= 0x10000 && $codepoint <= 0x10ffff );
}
@@
-1808,6
+1808,11
@@
class Sanitizer {
$host = preg_replace( $strip, '', $host );
$host = preg_replace( $strip, '', $host );
+ // IPv6 host names are bracketed with []. Url-decode these.
+ if ( substr_compare( "//%5B", $host, 0, 5 ) === 0 && preg_match( '!^//%5B([0-9A-Fa-f:.]+)%5D((:\d+)?)$!', $host, $matches ) ) {
+ $host = '//[' . $matches[1] . ']' . $matches[2];
+ }
+
// @todo FIXME: Validate hostnames here
return $protocol . $host . $rest;
// @todo FIXME: Validate hostnames here
return $protocol . $host . $rest;