*/
private function makeForm( $title, $input ) {
$self = $this->getPageTitle();
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
$form = Xml::openElement(
'form',
array( 'method' => 'post', 'action' => $self->getLocalUrl() )
'contexttitle',
60,
$title,
- array( 'autofocus' => true, 'class' => 'mw-ui-input-inline' )
+ array( 'autofocus' => '', 'class' => 'mw-ui-input-inline' )
) . '</p>';
$form .= '<p>' . Xml::label(
$this->msg( 'expand_templates_input' )->text(),
array( 'accesskey' => 's' )
) . '</p>';
$form .= "</fieldset>\n";
+ $form .= Html::hidden( 'wpEditToken', $user->getEditToken( '', $request ) );
$form .= Xml::closeElement( 'form' );
return $form;
private function showHtmlPreview( Title $title, ParserOutput $pout, OutputPage $out ) {
$lang = $title->getPageViewLanguage();
$out->addHTML( "<h2>" . $this->msg( 'expand_templates_preview' )->escaped() . "</h2>\n" );
+
+ if ( $this->getConfig()->get( 'RawHtml' ) ) {
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
+ // To prevent cross-site scripting attacks, don't show the preview if raw HTML is
+ // allowed and a valid edit token is not provided (bug 71111). However, MediaWiki
+ // does not currently provide logged-out users with CSRF protection; in that case,
+ // do not show the preview unless anonymous editing is allowed.
+ if ( $user->isAnon() && !$user->isAllowed( 'edit' ) ) {
+ $error = array( 'expand_templates_preview_fail_html_anon' );
+ } elseif ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ), '', $request ) ) {
+ $error = array( 'expand_templates_preview_fail_html' );
+ } else {
+ $error = false;
+ }
+
+ if ( $error ) {
+ $out->wrapWikiMsg( "<div class='previewnote'>\n$1\n</div>", $error );
+ return;
+ }
+ }
+
$out->addHTML( Html::openElement( 'div', array(
'class' => 'mw-content-' . $lang->getDir(),
'dir' => $lang->getDir(),