X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;ds=sidebyside;f=includes%2FSanitizer.php;h=60c949893823b5f7c8d97140b770e86e442cc5c3;hb=2c085ac5a3c8020958d52554e13317feef30ffaf;hp=5242856434941a6346f5cbe9f4f76111aedd9226;hpb=35704248ae79667342e68084d8c18915b85472e9;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 5242856434..60c9498938 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -721,7 +721,7 @@ class Sanitizer { * Take an array of attribute names and values and normalize or discard * illegal values for the given whitelist. * - * - Discards attributes not the given whitelist + * - Discards attributes not on the given whitelist * - Unsafe style attributes are discarded * - Invalid id attributes are re-encoded * @@ -770,18 +770,18 @@ class Sanitizer { $value = Sanitizer::checkCss( $value ); } + # Escape HTML id attributes if ( $attribute === 'id' ) { $value = Sanitizer::escapeId( $value, 'noninitial' ); } - # WAI-ARIA - # http://www.w3.org/TR/wai-aria/ - # http://www.whatwg.org/html/elements.html#wai-aria - # For now we only support role="presentation" until we work out what roles should be - # usable by content and we ensure that our code explicitly rejects patterns that - # violate HTML5's ARIA restrictions. - if ( $attribute === 'role' && $value !== 'presentation' ) { - continue; + # Escape HTML id reference lists + if ( $attribute === 'aria-describedby' + || $attribute === 'aria-flowto' + || $attribute === 'aria-labelledby' + || $attribute === 'aria-owns' + ) { + $value = Sanitizer::escapeIdReferenceList( $value, 'noninitial' ); } // RDFa and microdata properties allow URLs, URIs and/or CURIs. @@ -950,7 +950,6 @@ class Sanitizer { return $value; } - /** * Pick apart some CSS and check it for forbidden or unsafe structures. * Returns a sanitized string. This sanitized string will have @@ -1164,6 +1163,39 @@ class Sanitizer { return $id; } + /** + * Given a string containing a space delimited list of ids, escape each id + * to match ids escaped by the escapeId() function. + * + * @since 1.27 + * + * @param string $referenceString Space delimited list of ids + * @param string|array $options String or array of strings (default is array()): + * 'noninitial': This is a non-initial fragment of an id, not a full id, + * so don't pay attention if the first character isn't valid at the + * beginning of an id. Only matters if $wgExperimentalHtmlIds is + * false. + * 'legacy': Behave the way the old HTML 4-based ID escaping worked even + * if $wgExperimentalHtmlIds is used, so we can generate extra + * anchors and links won't break. + * @return string + */ + static function escapeIdReferenceList( $referenceString, $options = array() ) { + # Explode the space delimited list string into an array of tokens + $references = preg_split( '/\s+/', "{$referenceString}", -1, PREG_SPLIT_NO_EMPTY ); + + # Escape each token as an id + foreach ( $references as &$ref ) { + $ref = Sanitizer::escapeId( $ref, $options ); + } + + # Merge the array back to a space delimited list string + # If the array is empty, the result will be an empty string ('') + $referenceString = implode( ' ', $references ); + + return $referenceString; + } + /** * Given a value, escape it so that it can be used as a CSS class and * return it. @@ -1209,7 +1241,7 @@ class Sanitizer { /** * Return an associative array of attribute names and values from - * a partial tag string. Attribute names are forces to lowercase, + * a partial tag string. Attribute names are forced to lowercase, * character references are decoded to UTF-8 text. * * @param string $text @@ -1547,6 +1579,11 @@ class Sanitizer { 'title', # WAI-ARIA + 'aria-describedby', + 'aria-flowto', + 'aria-label', + 'aria-labelledby', + 'aria-owns', 'role', );