* HTML sanitizer for %MediaWiki.
*
* Copyright © 2002-2005 Brion Vibber <brion@pobox.com> et al
- * http://www.mediawiki.org/
+ * https://www.mediawiki.org/
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* @param string $text
* @param callable $processCallback Callback to do any variable or parameter
* replacements in HTML attribute values
- * @param array $args Arguments for the processing callback
+ * @param array|bool $args Arguments for the processing callback
* @param array $extratags For any extra tags to include
* @param array $removetags For any tags (default or extra) to exclude
* @return string
$badtag = true;
} elseif ( $slash ) {
# Closing a tag... is it the one we just opened?
- $ot = @array_pop( $tagstack );
+ wfSuppressWarnings();
+ $ot = array_pop( $tagstack );
+ wfRestoreWarnings();
+
if ( $ot != $t ) {
if ( isset( $htmlsingleallowed[$ot] ) ) {
# Pop all elements with an optional close tag
}
}
} else {
- @array_push( $tagstack, $ot );
+ wfSuppressWarnings();
+ array_push( $tagstack, $ot );
+ wfRestoreWarnings();
+
# <li> can be nested in <ul> or <ol>, skip those cases:
if ( !isset( $htmllist[$ot] ) || !isset( $listtags[$t] ) ) {
$badtag = true;
} else {
# this might be possible using tidy itself
foreach ( $bits as $x ) {
- preg_match( '/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/',
- $x, $regs );
- @list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
+ preg_match(
+ '/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/',
+ $x,
+ $regs
+ );
+
+ wfSuppressWarnings();
+ list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
+ wfRestoreWarnings();
+
$badtag = false;
if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
if ( is_callable( $processCallback ) ) {
# Remove the comment, leading and trailing
# spaces, and leave only one newline.
$text = substr_replace( $text, "\n", $spaceStart, $spaceLen + 1 );
- }
- else {
+ } else {
# Remove just the comment.
$text = substr_replace( $text, '', $start, $end - $start );
}
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
} elseif ( preg_match(
- '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix',
- $value
- ) ) {
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
return '/* insecure input */';
}
return $value;
* HTML5 definition of id attribute
*
* @param string $id id to escape
- * @param $options Mixed: string or array of strings (default is array()):
+ * @param string|array $options String or array of strings (default is array()):
* 'noninitial': This is a non-initial fragment of an id, not a full id,
* so don't pay attention if the first character isn't valid at the
* beginning of an id. Only matters if $wgExperimentalHtmlIds is
* This allows (generally harmless) entities like   to survive.
*
* @param string $html HTML to escape
- * @return string: escaped input
+ * @return string Escaped input
*/
static function escapeHtmlAllowEntities( $html ) {
$html = Sanitizer::decodeCharReferences( $html );
array( 'Sanitizer', 'normalizeCharReferencesCallback' ),
$text );
}
+
/**
* @param string $matches
* @return string
*/
static function setupAttributeWhitelist() {
global $wgAllowRdfaAttributes, $wgAllowMicrodataAttributes;
-
static $whitelist, $staticInitialised;
+
$globalContext = implode( '-', compact( 'wgAllowRdfaAttributes', 'wgAllowMicrodataAttributes' ) );
- if ( isset( $whitelist ) && $staticInitialised == $globalContext ) {
+ if ( $whitelist !== null && $staticInitialised == $globalContext ) {
return $whitelist;
}
$rfc5322_atext = "a-z0-9!#$%&'*+\\-\/=?^_`{|}~";
$rfc1034_ldh_str = "a-z0-9\\-";
- $HTML5_email_regexp = "/
+ $html5_email_regexp = "/
^ # start of string
[$rfc5322_atext\\.]+ # user part which is liberal :p
@ # 'apostrophe'
$ # End of string
/ix"; // case Insensitive, eXtended
- return (bool)preg_match( $HTML5_email_regexp, $addr );
+ return (bool)preg_match( $html5_email_regexp, $addr );
}
}