$content = StringUtils::delimiterReplace( '<nowiki>', '</nowiki>', '$1', $text, 'i' );
$attribs = Sanitizer::validateTagAttributes( $attribs, 'pre' );
- return Xml::openElement( 'pre', $attribs ) .
- Xml::escapeTagsOnly( $content ) .
- '</pre>';
+ // We need to let both '"' and '&' through,
+ // for strip markers and entities respectively.
+ $content = str_replace(
+ [ '>', '<' ],
+ [ '>', '<' ],
+ $content
+ );
+ return Html::rawElement( 'pre', $attribs, $content );
}
/**
* @param array $attributes
* @param Parser $parser
* @throws MWException
- * @return array
+ * @return array|string Output of tag hook
*/
public static function html( $content, $attributes, $parser ) {
global $wgRawHtml;
if ( $wgRawHtml ) {
- return [ $content, 'markerType' => 'nowiki' ];
+ if ( $parser->getOptions()->getAllowUnsafeRawHtml() ) {
+ return [ $content, 'markerType' => 'nowiki' ];
+ } else {
+ // In a system message where raw html is
+ // not allowed (but it is allowed in other
+ // contexts).
+ return Html::rawElement(
+ 'span',
+ [ 'class' => 'error' ],
+ // Using ->text() not ->parse() as
+ // a paranoia measure against a loop.
+ wfMessage( 'rawhtml-notallowed' )->escaped()
+ );
+ }
} else {
throw new MWException( '<html> extension tag encountered unexpectedly' );
}
* @return array
*/
public static function nowiki( $content, $attributes, $parser ) {
- $content = strtr( $content, [ '-{' => '-{', '}-' => '}-' ] );
- return [ Xml::escapeTagsOnly( $content ), 'markerType' => 'nowiki' ];
+ $content = strtr( $content, [
+ // lang converter
+ '-{' => '-{',
+ '}-' => '}-',
+ // html tags
+ '<' => '<',
+ '>' => '>'
+ // Note: Both '"' and '&' are not converted.
+ // This allows strip markers and entities through.
+ ] );
+ return [ $content, 'markerType' => 'nowiki' ];
}
/**