class SearchHighlighter {
protected $mCleanWikitext = true;
+ /**
+ * @warning If you pass false to this constructor, then
+ * the caller is responsible for HTML escaping.
+ * @param bool $cleanupWikitext
+ */
function __construct( $cleanupWikitext = true ) {
$this->mCleanWikitext = $cleanupWikitext;
}
/**
* Split text into lines and add it to extracts array
*
- * @param array $extracts Index -> $line
- * @param int $count
+ * @param array &$extracts Index -> $line
+ * @param int &$count
* @param string $text
*/
function splitAndAdd( &$extracts, &$count, $text ) {
* @param string $text
* @param int $start
* @param int $end
- * @param int $posStart (out) actual start position
- * @param int $posEnd (out) actual end position
+ * @param int &$posStart (out) actual start position
+ * @param int &$posEnd (out) actual end position
* @return string
*/
function extract( $text, $start, $end, &$posStart = null, &$posEnd = null ) {
*
* @param string $pattern Regexp for matching lines
* @param array $extracts Extracts to search
- * @param int $linesleft Number of extracts to make
- * @param int $contextchars Length of snippet
- * @param array $out Map for highlighted snippets
- * @param array $offsets Map of starting points of snippets
+ * @param int &$linesleft Number of extracts to make
+ * @param int &$contextchars Length of snippet
+ * @param array &$out Map for highlighted snippets
+ * @param array &$offsets Map of starting points of snippets
* @protected
*/
function process( $pattern, $extracts, &$linesleft, &$contextchars, &$out, &$offsets ) {
$text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text );
$text = preg_replace( "/''/", "", $text );
+ // Note, the previous /<\/?[^>]+>/ is insufficient
+ // for XSS safety as the HTML tag can span multiple
+ // search results (T144845).
+ $text = Sanitizer::escapeHtmlAllowEntities( $text );
return $text;
}