*
* @file
*/
+use MediaWiki\MediaWikiServices;
/**
* This class is a collection of static functions that serve two purposes:
unset( $attribs['type'] );
}
if ( $element === 'input' ) {
- $type = isset( $attribs['type'] ) ? $attribs['type'] : null;
- $value = isset( $attribs['value'] ) ? $attribs['value'] : null;
+ $type = $attribs['type'] ?? null;
+ $value = $attribs['value'] ?? null;
if ( $type === 'checkbox' || $type === 'radio' ) {
// The default value for checkboxes and radio buttons is 'on'
// not ''. By stripping value="" we break radio boxes that
}
/**
- * Output a "<script>" tag with the given contents.
+ * Output an HTML script tag with the given contents.
*
- * @todo do some useful escaping as well, like if $contents contains
- * literal "</script>" or (for XML) literal "]]>".
+ * It is unsupported for the contents to contain the sequence `<script` or `</script`
+ * (case-insensitive). This ensures the script can be terminated easily and consistently.
+ * It is the responsibility of the caller to avoid such character sequence by escaping
+ * or avoiding it. If found at run-time, the contents are replaced with a comment, and
+ * a warning is logged server-side.
*
* @param string $contents JavaScript
- * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
+ * @param string|null $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
* @return string Raw HTML
*/
public static function inlineScript( $contents, $nonce = null ) {
if ( $nonce !== null ) {
$attrs['nonce'] = $nonce;
} else {
- if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+ if ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
wfWarn( "no nonce set on script. CSP will break it" );
}
}
- if ( preg_match( '/[<&]/', $contents ) ) {
- $contents = "/*<![CDATA[*/$contents/*]]>*/";
+ if ( preg_match( '/<\/?script/i', $contents ) ) {
+ wfLogWarning( __METHOD__ . ': Illegal character sequence found in inline script.' );
+ $contents = '/* ERROR: Invalid script */';
}
return self::rawElement( 'script', $attrs, $contents );
* "<script src=foo.js></script>".
*
* @param string $url
- * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
+ * @param string|null $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
* @return string Raw HTML
*/
public static function linkedScript( $url, $nonce = null ) {
if ( $nonce !== null ) {
$attrs['nonce'] = $nonce;
} else {
- if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+ if ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
wfWarn( "no nonce set on script. CSP will break it" );
}
}
* @return string of HTML representing a box.
*/
private static function messageBox( $html, $className, $heading = '' ) {
- if ( $heading ) {
+ if ( $heading !== '' ) {
$html = self::element( 'h2', [], $heading ) . $html;
}
return self::rawElement( 'div', [ 'class' => $className ], $html );
* @return array
*/
public static function namespaceSelectorOptions( array $params = [] ) {
- global $wgContLang;
-
$options = [];
if ( !isset( $params['exclude'] ) || !is_array( $params['exclude'] ) ) {
$options[$params['all']] = wfMessage( 'namespacesall' )->text();
}
// Add all namespaces as options (in the content language)
- $options += $wgContLang->getFormattedNamespaces();
+ $options +=
+ MediaWikiServices::getInstance()->getContentLanguage()->getFormattedNamespaces();
$optionsOut = [];
// Filter out namespaces below 0 and massage labels
// main we don't use "" but the user message describing it (e.g. "(Main)" or "(Article)")
$nsName = wfMessage( 'blanknamespace' )->text();
} elseif ( is_int( $nsId ) ) {
- $nsName = $wgContLang->convertNamespace( $nsId );
+ $nsName = MediaWikiServices::getInstance()->getContentLanguage()->
+ convertNamespace( $nsId );
}
$optionsOut[$nsId] = $nsName;
}
if ( isset( $params['label'] ) ) {
$ret .= self::element(
'label', [
- 'for' => isset( $selectAttribs['id'] ) ? $selectAttribs['id'] : null,
+ 'for' => $selectAttribs['id'] ?? null,
], $params['label']
- ) . ' ';
+ ) . "\u{00A0}";
}
// Wrap options in a <select>