X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=4c996771e89f5bf761ebdebf6e8cf7d54a5c10c2;hb=235e92846eb6fd132f28ec5e05240e3821542ac8;hp=907da16054b20995fff542efc721a4e034af0628;hpb=79ef473a2f558438c6846d046afe2e31db042722;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 907da16054..4c996771e8 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -815,7 +815,7 @@ class Sanitizer { # Escape HTML id attributes if ( $attribute === 'id' ) { - $value = self::escapeIdForAttribute( $value, Sanitizer::ID_PRIMARY ); + $value = self::escapeIdForAttribute( $value, self::ID_PRIMARY ); } # Escape HTML id reference lists @@ -824,7 +824,7 @@ class Sanitizer { || $attribute === 'aria-labelledby' || $attribute === 'aria-owns' ) { - $value = self::escapeIdReferenceList( $value, 'noninitial' ); + $value = self::escapeIdReferenceList( $value ); } // RDFa and microdata properties allow URLs, URIs and/or CURIs. @@ -1203,8 +1203,6 @@ class Sanitizer { global $wgExperimentalHtmlIds; $options = (array)$options; - $id = self::decodeCharReferences( $id ); - if ( $wgExperimentalHtmlIds && !in_array( 'legacy', $options ) ) { $id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id ); $id = trim( $id, '_' ); @@ -1284,7 +1282,6 @@ class Sanitizer { $mode = $wgFragmentMode[self::ID_PRIMARY]; $id = self::escapeIdInternal( $id, $mode ); - $id = self::urlEscapeId( $id, $mode ); return $id; } @@ -1302,23 +1299,6 @@ class Sanitizer { global $wgExternalInterwikiFragmentMode; $id = self::escapeIdInternal( $id, $wgExternalInterwikiFragmentMode ); - $id = self::urlEscapeId( $id, $wgExternalInterwikiFragmentMode ); - - return $id; - } - - /** - * Helper for escapeIdFor*() functions. URL-escapes the ID if needed. - * - * @param string $id String to escape - * @param string $mode One of modes from $wgFragmentMode - * @return string - */ - private static function urlEscapeId( $id, $mode ) { - if ( $mode === 'html5' ) { - $id = urlencode( $id ); - $id = str_replace( '%3A', ':', $id ); - } return $id; } @@ -1331,8 +1311,6 @@ class Sanitizer { * @return string */ private static function escapeIdInternal( $id, $mode ) { - $id = Sanitizer::decodeCharReferences( $id ); - switch ( $mode ) { case 'html5': $id = str_replace( ' ', '_', $id ); @@ -1366,7 +1344,7 @@ class Sanitizer { * Given a string containing a space delimited list of ids, escape each id * to match ids escaped by the escapeId() function. * - * @todo wfDeprecated() uses of $options in 1.31, remove completely in 1.32 + * @todo remove $options completely in 1.32 * * @since 1.27 * @@ -1375,6 +1353,9 @@ class Sanitizer { * @return string */ static function escapeIdReferenceList( $referenceString, $options = [] ) { + if ( $options ) { + wfDeprecated( __METHOD__ . ' with $options', '1.31' ); + } # Explode the space delimited list string into an array of tokens $references = preg_split( '/\s+/', "{$referenceString}", -1, PREG_SPLIT_NO_EMPTY ); @@ -1677,7 +1658,10 @@ class Sanitizer { $text = preg_replace_callback( self::CHAR_REFS_REGEX, [ 'Sanitizer', 'decodeCharReferencesCallback' ], - $text, /* limit */ -1, $count ); + $text, + -1, //limit + $count + ); if ( $count ) { return $wgContLang->normalize( $text ); @@ -1914,7 +1898,7 @@ class Sanitizer { # Not usually allowed, but may be used for extension-style hooks # such as when it is rasterized, or if $wgAllowImageTag is # true - 'img' => array_merge( $common, [ 'alt', 'src', 'width', 'height' ] ), + 'img' => array_merge( $common, [ 'alt', 'src', 'width', 'height', 'srcset' ] ), 'video' => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ), 'source' => array_merge( $common, [ 'type', 'src' ] ), @@ -1951,6 +1935,10 @@ class Sanitizer { # https://www.w3.org/TR/REC-MathML/ 'math' => [ 'class', 'style', 'id', 'title' ], + // HTML 5 section 4.5 + 'figure' => $common, + 'figcaption' => $common, + # HTML 5 section 4.6 'bdi' => $common, @@ -1966,7 +1954,7 @@ class Sanitizer { // (ie: validateTag rejects tags missing the attributes needed for Microdata) // So we don't bother including $common attributes that have no purpose. 'meta' => [ 'itemprop', 'content' ], - 'link' => [ 'itemprop', 'href' ], + 'link' => [ 'itemprop', 'href', 'title' ], ]; return $whitelist;