X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FHtml.php;h=aa51243d75ebe1236f7356f479c8f705960f096a;hb=db331661b9fd60b1012a98d103078419d85dcb14;hp=d066effd926ecc92456c1c10aad76e8970e385ba;hpb=c65b486b580aaab5d7321b4c0e1d5d1915fca05e;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Html.php b/includes/Html.php
index d066effd92..aa51243d75 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -213,7 +213,7 @@ class Html {
 			// Silly XML.
 			return substr( $start, 0, -1 ) . '/>';
 		} else {
-			return "$start$contents" . self::closeElement( $element );
+			return $start . $contents . self::closeElement( $element );
 		}
 	}
 
@@ -255,6 +255,12 @@ class Html {
 		// consistency and better compression.
 		$element = strtolower( $element );
 
+		// Some people were abusing this by passing things like
+		// 'h1 id="foo" to $element, which we don't want.
+		if ( strpos( $element, ' ' ) !== false ) {
+			wfWarn( __METHOD__ . " given element name with space '$element'" );
+		}
+
 		// Remove invalid input types
 		if ( $element == 'input' ) {
 			$validTypes = [
@@ -568,10 +574,8 @@ class Html {
 		$attrs = [];
 		if ( $nonce !== null ) {
 			$attrs['nonce'] = $nonce;
-		} else {
-			if ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
-				wfWarn( "no nonce set on script. CSP will break it" );
-			}
+		} elseif ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
+			wfWarn( "no nonce set on script. CSP will break it" );
 		}
 
 		if ( preg_match( '/<\/?script/i', $contents ) ) {
@@ -594,10 +598,8 @@ class Html {
 		$attrs = [ 'src' => $url ];
 		if ( $nonce !== null ) {
 			$attrs['nonce'] = $nonce;
-		} else {
-			if ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
-				wfWarn( "no nonce set on script. CSP will break it" );
-			}
+		} elseif ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
+			wfWarn( "no nonce set on script. CSP will break it" );
 		}
 
 		return self::element( 'script', $attrs );
@@ -967,7 +969,7 @@ class Html {
 		if ( $isXHTML ) { // XHTML5
 			// XML MIME-typed markup should have an xml header.
 			// However a DOCTYPE is not needed.
-			$ret .= "<?xml version=\"1.0\" encoding=\"UTF-8\" ?" . ">\n";
+			$ret .= "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n";
 
 			// Add the standard xmlns
 			$attribs['xmlns'] = 'http://www.w3.org/1999/xhtml';
@@ -977,7 +979,6 @@ class Html {
 				$attribs["xmlns:$tag"] = $ns;
 			}
 		} else { // HTML5
-			// DOCTYPE
 			$ret .= "<!DOCTYPE html>\n";
 		}