/**
* XHTML sanitizer for MediaWiki
*
- * Copyright (C) 2002-2005 Brion Vibber <brion@pobox.com> et al
+ * Copyright © 2002-2005 Brion Vibber <brion@pobox.com> et al
* http://www.mediawiki.org/
*
* This program is free software; you can redistribute it and/or modify
define( 'MW_CHAR_REFS_REGEX',
'/&([A-Za-z0-9\x80-\xff]+);
|&\#([0-9]+);
- |&\#x([0-9A-Za-z]+);
- |&\#X([0-9A-Za-z]+);
+ |&\#[xX]([0-9A-Fa-f]+);
|(&)/x' );
/**
* Allows some... latitude.
* Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes
*/
-$attrib = '[A-Za-z0-9]';
+$attribFirst = '[:A-Z_a-z]';
+$attrib = '[:A-Z_a-z-.0-9]';
$space = '[\x09\x0a\x0d\x20]';
define( 'MW_ATTRIBS_REGEX',
- "/(?:^|$space)((?:xml:|xmlns:)?$attrib+)
+ "/(?:^|$space)({$attribFirst}{$attrib}*)
($space*=$space*
(?:
# The attribute value: quoted or alone
'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
'strike', 'strong', 'tt', 'var', 'div', 'center',
'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
- 'ruby', 'rt' , 'rb' , 'rp', 'p', 'span', 'u', 'abbr'
+ 'ruby', 'rt' , 'rb' , 'rp', 'p', 'span', 'abbr', 'dfn',
+ 'kbd', 'samp'
);
$htmlsingle = array(
'br', 'hr', 'li', 'dt', 'dd'
'li',
);
+ global $wgAllowImageTag;
+ if ( $wgAllowImageTag ) {
+ $htmlsingle[] = 'img';
+ $htmlsingleonly[] = 'img';
+ }
+
$htmlsingleallowed = array_unique( array_merge( $htmlsingle, $tabletags ) );
$htmlelementsStatic = array_unique( array_merge( $htmlsingle, $htmlpairsStatic, $htmlnest ) );
$text = Sanitizer::removeHTMLcomments( $text );
$bits = explode( '<', $text );
$text = str_replace( '>', '>', array_shift( $bits ) );
- if(!$wgUseTidy) {
+ if ( !$wgUseTidy ) {
$tagstack = $tablestack = array();
foreach ( $bits as $x ) {
$regs = array();
+ # $slash: Does the current element start with a '/'?
+ # $t: Current element name
+ # $params: String between element name and >
+ # $brace: Ending '>' or '/>'
+ # $rest: Everything until the next element of $bits
if( preg_match( '!^(/?)(\\w+)([^>]*?)(/{0,1}>)([^<]*)$!', $x, $regs ) ) {
list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
} else {
$slash = $t = $params = $brace = $rest = null;
}
- $badtag = 0 ;
+ $badtag = false;
if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
# Check our stack
- if ( $slash ) {
- # Closing a tag...
- if( isset( $htmlsingleonly[$t] ) ) {
- $badtag = 1;
- } elseif ( ( $ot = @array_pop( $tagstack ) ) != $t ) {
+ if ( $slash && isset( $htmlsingleonly[$t] ) ) {
+ $badtag = true;
+ } elseif ( $slash ) {
+ # Closing a tag... is it the one we just opened?
+ $ot = @array_pop( $tagstack );
+ if ( $ot != $t ) {
if ( isset( $htmlsingleallowed[$ot] ) ) {
# Pop all elements with an optional close tag
# and see if we find a match below them
$optstack = array();
- array_push ($optstack, $ot);
- while ( ( ( $ot = @array_pop( $tagstack ) ) != $t ) &&
- isset( $htmlsingleallowed[$ot] ) )
- {
- array_push ($optstack, $ot);
+ array_push( $optstack, $ot );
+ $ot = @array_pop( $tagstack );
+ while ( $ot != $t && isset( $htmlsingleallowed[$ot] ) ) {
+ array_push( $optstack, $ot );
+ $ot = @array_pop( $tagstack );
}
if ( $t != $ot ) {
- # No match. Push the optinal elements back again
- $badtag = 1;
+ # No match. Push the optional elements back again
+ $badtag = true;
while ( $ot = @array_pop( $optstack ) ) {
array_push( $tagstack, $ot );
}
} else {
@array_push( $tagstack, $ot );
# <li> can be nested in <ul> or <ol>, skip those cases:
- if(!(isset( $htmllist[$ot] ) && isset( $listtags[$t] ) )) {
- $badtag = 1;
+ if ( !isset( $htmllist[$ot] ) || !isset( $listtags[$t] ) ) {
+ $badtag = true;
}
}
} else {
} else {
# Keep track for later
if ( isset( $tabletags[$t] ) &&
- ! in_array( 'table', $tagstack ) ) {
- $badtag = 1;
- } else if ( in_array( $t, $tagstack ) &&
- ! isset( $htmlnest [$t ] ) ) {
- $badtag = 1 ;
+ !in_array( 'table', $tagstack ) ) {
+ $badtag = true;
+ } elseif ( in_array( $t, $tagstack ) &&
+ !isset( $htmlnest [$t ] ) ) {
+ $badtag = true;
# Is it a self closed htmlpair ? (bug 5487)
- } else if( $brace == '/>' &&
+ } elseif ( $brace == '/>' &&
isset( $htmlpairs[$t] ) ) {
- $badtag = 1;
- } elseif( isset( $htmlsingleonly[$t] ) ) {
+ $badtag = true;
+ } elseif ( isset( $htmlsingleonly[$t] ) ) {
# Hack to force empty tag for uncloseable elements
$brace = '/>';
- } else if( isset( $htmlsingle[$t] ) ) {
+ } elseif ( isset( $htmlsingle[$t] ) ) {
# Hack to not close $htmlsingle tags
- $brace = NULL;
- } else if( isset( $tabletags[$t] )
- && in_array($t ,$tagstack) ) {
+ $brace = null;
+ } elseif ( isset( $tabletags[$t] )
+ && in_array( $t, $tagstack ) ) {
// New table tag but forgot to close the previous one
$text .= "</$t>";
} else {
# Strip non-approved attributes from the tag
$newparams = Sanitizer::fixTagAttributes( $params, $t );
}
- if ( ! $badtag ) {
+ if ( !$badtag ) {
$rest = str_replace( '>', '>', $rest );
$close = ( $brace == '/>' && !$slash ) ? ' /' : '';
$text .= "<$slash$t$newparams$close>$rest";
* @todo Check for unique id attribute :P
*/
static function validateAttributes( $attribs, $whitelist ) {
- global $wgAllowRdfaAttributes;
+ global $wgAllowRdfaAttributes, $wgAllowMicrodataAttributes, $wgHtml5;
$whitelist = array_flip( $whitelist );
$hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
continue;
}
- if( !isset( $whitelist[$attribute] ) ) {
+ # Allow any attribute beginning with "data-", if in HTML5 mode
+ if ( !($wgHtml5 && preg_match( '/^data-/i', $attribute )) && !isset( $whitelist[$attribute] ) ) {
continue;
}
# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
if( $attribute == 'style' ) {
$value = Sanitizer::checkCss( $value );
- if( $value === false ) {
- # haxx0r
- continue;
- }
}
if ( $attribute === 'id' ) {
- global $wgEnforceHtmlIds;
- $value = Sanitizer::escapeId( $value,
- $wgEnforceHtmlIds ? 'noninitial' : 'xml' );
+ $value = Sanitizer::escapeId( $value, 'noninitial' );
}
- //RDFa and microdata properties allow URIs. check them
+ //RDFa and microdata properties allow URLs, URIs and/or CURIs. check them for sanity
if ( $attribute === 'rel' || $attribute === 'rev' ||
- $attribute === 'about' || $attribute === 'property' || $attribute === 'resource' ||
- $attribute === 'datatype' || $attribute === 'typeof' ||
- $attribute === 'item' || $attribute === 'itemprop' || $attribute === 'subject' ) {
+ $attribute === 'about' || $attribute === 'property' || $attribute === 'resource' || #RDFa
+ $attribute === 'datatype' || $attribute === 'typeof' || #RDFa
+ $attribute === 'itemid' || $attribute === 'itemprop' || $attribute === 'itemref' || #HTML5 microdata
+ $attribute === 'itemscope' || $attribute === 'itemtype' ) { #HTML5 microdata
//Paranoia. Allow "simple" values but suppress javascript
if ( preg_match( MW_EVIL_URI_PATTERN, $value ) ) {
// Output should only have one attribute of each name.
$out[$attribute] = $value;
}
+
+ if ( $wgAllowMicrodataAttributes ) {
+ # There are some complicated validity constraints we need to
+ # enforce here. First of all, we don't want to allow non-standard
+ # itemtypes.
+ $allowedTypes = array(
+ 'http://microformats.org/profile/hcard',
+ 'http://microformats.org/profile/hcalendar#vevent',
+ 'http://n.whatwg.org/work',
+ );
+ if ( isset( $out['itemtype'] ) && !in_array( $out['itemtype'],
+ $allowedTypes ) ) {
+ # Kill everything
+ unset( $out['itemscope'] );
+ }
+ # itemtype, itemid, itemref don't make sense without itemscope
+ if ( !array_key_exists( 'itemscope', $out ) ) {
+ unset( $out['itemtype'] );
+ unset( $out['itemid'] );
+ unset( $out['itemref'] );
+ }
+ # TODO: Strip itemprop if we aren't descendants of an itemscope.
+ }
return $out;
}
* @return Mixed
*/
static function checkCss( $value ) {
- $stripped = Sanitizer::decodeCharReferences( $value );
+ $value = Sanitizer::decodeCharReferences( $value );
// Remove any comments; IE gets token splitting wrong
- $stripped = StringUtils::delimiterReplace( '/*', '*/', ' ', $stripped );
-
- $value = $stripped;
-
- // ... and continue checks
- $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
- 'codepointToUtf8(hexdec("$1"))', $stripped );
- $stripped = str_replace( '\\', '', $stripped );
- if( preg_match( '/(?:expression|tps*:\/\/|url\\s*\().*/is',
- $stripped ) ) {
- # haxx0r
- return false;
+ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+
+ // Decode escape sequences and line continuation
+ // See the grammar in the CSS 2 spec, appendix D.
+ static $decodeRegex;
+ if ( !$decodeRegex ) {
+ $space = '[\\x20\\t\\r\\n\\f]';
+ $nl = '(?:\\n|\\r\\n|\\r|\\f)';
+ $backslash = '\\\\';
+ $decodeRegex = "/ $backslash
+ (?:
+ ($nl) | # 1. Line continuation
+ ([0-9A-Fa-f]{1,6})$space? | # 2. character number
+ (.) | # 3. backslash cancelling special meaning
+ () | # 4. backslash at end of string
+ )/xu";
+ }
+ $value = preg_replace_callback( $decodeRegex,
+ array( __CLASS__, 'cssDecodeCallback' ), $value );
+
+ // Reject problematic keywords and control characters
+ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
+ return '/* invalid control char */';
+ } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
+ return '/* insecure input */';
}
-
return $value;
}
+ static function cssDecodeCallback( $matches ) {
+ if ( $matches[1] !== '' ) {
+ // Line continuation
+ return '';
+ } elseif ( $matches[2] !== '' ) {
+ $char = codepointToUtf8( hexdec( $matches[2] ) );
+ } elseif ( $matches[3] !== '' ) {
+ $char = $matches[3];
+ } else {
+ $char = '\\';
+ }
+ if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) {
+ // These characters need to be escaped in strings
+ // Clean up the escape sequence to avoid parsing errors by clients
+ return '\\' . dechex( ord( $char ) ) . ' ';
+ } else {
+ // Decode unnecessary escape
+ return $char;
+ }
+ }
+
/**
* Take a tag soup fragment listing an HTML element's attributes
* and normalize it to well-formed XML, discarding unwanted attributes.
}
/**
- * Given a value escape it so that it can be used in an id attribute and
- * return it, this does not validate the value however (see first link)
+ * Given a value, escape it so that it can be used in an id attribute and
+ * return it. This will use HTML5 validation if $wgExperimentalHtmlIds is
+ * true, allowing anything but ASCII whitespace. Otherwise it will use
+ * HTML 4 rules, which means a narrow subset of ASCII, with bad characters
+ * escaped with lots of dots.
+ *
+ * To ensure we don't have to bother escaping anything, we also strip ', ",
+ * & even if $wgExperimentalIds is true. TODO: Is this the best tactic?
+ * We also strip # because it upsets IE, and % because it could be
+ * ambiguous if it's part of something that looks like a percent escape
+ * (which don't work reliably in fragments cross-browser).
*
* @see http://www.w3.org/TR/html401/types.html#type-name Valid characters
* in the id and
* name attributes
* @see http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute
+ * @see http://www.whatwg.org/specs/web-apps/current-work/multipage/elements.html#the-id-attribute
+ * HTML5 definition of id attribute
*
- * @param $id String: id to validate
+ * @param $id String: id to escape
* @param $options Mixed: string or array of strings (default is array()):
* 'noninitial': This is a non-initial fragment of an id, not a full id,
* so don't pay attention if the first character isn't valid at the
- * beginning of an id.
- * 'xml': Don't restrict the id to be HTML4-compatible. This option
- * allows any alphabetic character to be used, per the XML standard.
- * Therefore, it also completely changes the type of escaping: instead
- * of weird dot-encoding, runs of invalid characters (mostly
- * whitespace) are just compressed into a single underscore.
+ * beginning of an id. Only matters if $wgExperimentalHtmlIds is
+ * false.
+ * 'legacy': Behave the way the old HTML 4-based ID escaping worked even
+ * if $wgExperimentalHtmlIds is used, so we can generate extra
+ * anchors and links won't break.
* @return String
*/
static function escapeId( $id, $options = array() ) {
+ global $wgHtml5, $wgExperimentalHtmlIds;
$options = (array)$options;
- if ( !in_array( 'xml', $options ) ) {
- # HTML4-style escaping
- static $replace = array(
- '%3A' => ':',
- '%' => '.'
- );
-
- $id = urlencode( Sanitizer::decodeCharReferences( strtr( $id, ' ', '_' ) ) );
- $id = str_replace( array_keys( $replace ), array_values( $replace ), $id );
-
- if ( !preg_match( '/^[a-zA-Z]/', $id )
- && !in_array( 'noninitial', $options ) ) {
- // Initial character must be a letter!
- $id = "x$id";
+ if ( $wgHtml5 && $wgExperimentalHtmlIds && !in_array( 'legacy', $options ) ) {
+ $id = Sanitizer::decodeCharReferences( $id );
+ $id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id );
+ $id = trim( $id, '_' );
+ if ( $id === '' ) {
+ # Must have been all whitespace to start with.
+ return '_';
+ } else {
+ return $id;
}
- return $id;
}
- # XML-style escaping. For the patterns used, see the XML 1.0 standard,
- # 5th edition, NameStartChar and NameChar: <http://www.w3.org/TR/REC-xml/>
- $nameStartChar = ':a-zA-Z_\xC0-\xD6\xD8-\xF6\xF8-\x{2FF}\x{370}-\x{37D}'
- . '\x{37F}-\x{1FFF}\x{200C}-\x{200D}\x{2070}-\x{218F}\x{2C00}-\x{2FEF}'
- . '\x{3001}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFFD}\x{10000}-\x{EFFFF}';
- $nameChar = $nameStartChar . '.\-0-9\xB7\x{0300}-\x{036F}'
- . '\x{203F}-\x{2040}';
- # Replace _ as well so we don't get multiple consecutive underscores
- $id = preg_replace( "/([^$nameChar]|_)+/u", '_', $id );
- $id = trim( $id, '_' );
-
- if ( !preg_match( "/^[$nameStartChar]/u", $id )
- && !in_array( 'noninitial', $options ) ) {
- $id = "_$id";
- }
+ # HTML4-style escaping
+ static $replace = array(
+ '%3A' => ':',
+ '%' => '.'
+ );
+
+ $id = urlencode( Sanitizer::decodeCharReferences( strtr( $id, ' ', '_' ) ) );
+ $id = str_replace( array_keys( $replace ), array_values( $replace ), $id );
+ if ( !preg_match( '/^[a-zA-Z]/', $id )
+ && !in_array( 'noninitial', $options ) ) {
+ // Initial character must be a letter!
+ $id = "x$id";
+ }
return $id;
}
/**
* Given HTML input, escape with htmlspecialchars but un-escape entites.
- * This allows (generally harmless) entities like to survive.
+ * This allows (generally harmless) entities like   to survive.
*
* @param $html String to escape
* @return String: escaped input
*/
static function escapeHtmlAllowEntities( $html ) {
+ $html = Sanitizer::decodeCharReferences( $html );
# It seems wise to escape ' as well as ", as a matter of course. Can't
# hurt.
$html = htmlspecialchars( $html, ENT_QUOTES );
- $html = str_replace( '&', '&', $html );
- $html = Sanitizer::normalizeCharReferences( $html );
return $html;
}
* @return Array
*/
public static function decodeTagAttributes( $text ) {
- $attribs = array();
-
if( trim( $text ) == '' ) {
- return $attribs;
+ return array();
}
+ $attribs = array();
$pairs = array();
if( !preg_match_all(
MW_ATTRIBS_REGEX,
$text );
}
+ /**
+ * Normalizes whitespace in a section name, such as might be returned
+ * by Parser::stripSectionName(), for use in the id's that are used for
+ * section links.
+ *
+ * @param $section String
+ * @return String
+ */
+ static function normalizeSectionNameWhitespace( $section ) {
+ return trim( preg_replace( '/[ _]+/', ' ', $section ) );
+ }
+
/**
* Ensure that any entities and character references are legal
* for XML and XHTML specifically. Any stray bits will be
$ret = Sanitizer::decCharReference( $matches[2] );
} elseif( $matches[3] != '' ) {
$ret = Sanitizer::hexCharReference( $matches[3] );
- } elseif( $matches[4] != '' ) {
- $ret = Sanitizer::hexCharReference( $matches[4] );
}
if( is_null( $ret ) ) {
return htmlspecialchars( $matches[0] );
$text );
}
+ /**
+ * Decode any character references, numeric or named entities,
+ * in the next and normalize the resulting string. (bug 14952)
+ *
+ * This is useful for page titles, not for text to be displayed,
+ * MediaWiki allows HTML entities to escape normalization as a feature.
+ *
+ * @param $text String (already normalized, containing entities)
+ * @return String (still normalized, without entities)
+ */
+ public static function decodeCharReferencesAndNormalize( $text ) {
+ global $wgContLang;
+ $text = preg_replace_callback(
+ MW_CHAR_REFS_REGEX,
+ array( 'Sanitizer', 'decodeCharReferencesCallback' ),
+ $text, /* limit */ -1, $count );
+
+ if ( $count ) {
+ return $wgContLang->normalize( $text );
+ } else {
+ return $text;
+ }
+ }
+
/**
* @param $matches String
* @return String
return Sanitizer::decodeChar( intval( $matches[2] ) );
} elseif( $matches[3] != '' ) {
return Sanitizer::decodeChar( hexdec( $matches[3] ) );
- } elseif( $matches[4] != '' ) {
- return Sanitizer::decodeChar( hexdec( $matches[4] ) );
}
# Last case should be an ampersand by itself
return $matches[0];
* @return Array
*/
static function setupAttributeWhitelist() {
- global $wgAllowRdfaAttributes, $wgHtml5, $wgAllowItemAttributes;
+ global $wgAllowRdfaAttributes, $wgHtml5, $wgAllowMicrodataAttributes;
- $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style', 'xml:lang' );
+ $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
if ( $wgAllowRdfaAttributes ) {
#RDFa attributes as specified in section 9 of http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
) );
}
- if ( $wgHtml5 && $wgAllowItemAttributes ) {
- # add HTML5 microdata tages as pecified by http://www.w3.org/TR/html5/microdata.html
+ if ( $wgHtml5 && $wgAllowMicrodataAttributes ) {
+ # add HTML5 microdata tages as pecified by http://www.whatwg.org/specs/web-apps/current-work/multipage/microdata.html#the-microdata-model
$common = array_merge( $common, array(
- 'item', 'itemprop', 'subject'
+ 'itemid', 'itemprop', 'itemref', 'itemscope', 'itemtype'
) );
}
'em' => $common,
'strong' => $common,
'cite' => $common,
- # dfn
+ 'dfn' => $common,
'code' => $common,
- # samp
- # kbd
+ 'samp' => $common,
+ 'kbd' => $common,
'var' => $common,
'abbr' => $common,
# acronym
# 13.2
# Not usually allowed, but may be used for extension-style hooks
- # such as <math> when it is rasterized
- 'img' => array_merge( $common, array( 'alt' ) ),
+ # such as <math> when it is rasterized, or if $wgAllowImageTag is
+ # true
+ 'img' => array_merge( $common, array( 'alt', 'src', 'width', 'height' ) ),
# 15.2.1
'tt' => $common,
$url = Sanitizer::decodeCharReferences( $url );
# Escape any control characters introduced by the above step
- $url = preg_replace( '/[\][<>"\\x00-\\x20\\x7F]/e', "urlencode('\\0')", $url );
+ $url = preg_replace( '/[\][<>"\\x00-\\x20\\x7F\|]/e', "urlencode('\\0')", $url );
# Validate hostname portion
$matches = array();
$host = preg_replace( $strip, '', $host );
- // @fixme: validate hostnames here
+ // @todo Fixme: validate hostnames here
return $protocol . $host . $rest;
} else {