X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fparser%2FCoreTagHooks.php;h=438603a84165bfdc94f92becef983d004f827130;hb=79aa5a3fe4946959a03f931451f80a629ef94bbd;hp=d4c4f6d2d07e4c05909f6909b435db4415ae5976;hpb=40a628a501fc05bb00e834fe359ca4061925f320;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/parser/CoreTagHooks.php b/includes/parser/CoreTagHooks.php
index d4c4f6d2d0..438603a841 100644
--- a/includes/parser/CoreTagHooks.php
+++ b/includes/parser/CoreTagHooks.php
@@ -56,9 +56,14 @@ class CoreTagHooks {
 		$content = StringUtils::delimiterReplace( '<nowiki>', '</nowiki>', '$1', $text, 'i' );
 
 		$attribs = Sanitizer::validateTagAttributes( $attribs, 'pre' );
-		return Xml::openElement( 'pre', $attribs ) .
-			Xml::escapeTagsOnly( $content ) .
-			'</pre>';
+		// We need to let both '"' and '&' through,
+		// for strip markers and entities respectively.
+		$content = str_replace(
+			[ '>', '<' ],
+			[ '&gt;', '&lt;' ],
+			$content
+		);
+		return Html::rawElement( 'pre', $attribs, $content );
 	}
 
 	/**
@@ -74,12 +79,25 @@ class CoreTagHooks {
 	 * @param array $attributes
 	 * @param Parser $parser
 	 * @throws MWException
-	 * @return array
+	 * @return array|string Output of tag hook
 	 */
 	public static function html( $content, $attributes, $parser ) {
 		global $wgRawHtml;
 		if ( $wgRawHtml ) {
-			return [ $content, 'markerType' => 'nowiki' ];
+			if ( $parser->getOptions()->getAllowUnsafeRawHtml() ) {
+				return [ $content, 'markerType' => 'nowiki' ];
+			} else {
+				// In a system message where raw html is
+				// not allowed (but it is allowed in other
+				// contexts).
+				return Html::rawElement(
+					'span',
+					[ 'class' => 'error' ],
+					// Using ->text() not ->parse() as
+					// a paranoia measure against a loop.
+					wfMessage( 'rawhtml-notallowed' )->escaped()
+				);
+			}
 		} else {
 			throw new MWException( '<html> extension tag encountered unexpectedly' );
 		}
@@ -98,8 +116,17 @@ class CoreTagHooks {
 	 * @return array
 	 */
 	public static function nowiki( $content, $attributes, $parser ) {
-		$content = strtr( $content, [ '-{' => '-&#123;', '}-' => '&#125;-' ] );
-		return [ Xml::escapeTagsOnly( $content ), 'markerType' => 'nowiki' ];
+		$content = strtr( $content, [
+			// lang converter
+			'-{' => '-&#123;',
+			'}-' => '&#125;-',
+			// html tags
+			'<' => '&lt;',
+			'>' => '&gt;'
+			// Note: Both '"' and '&' are not converted.
+			// This allows strip markers and entities through.
+		] );
+		return [ $content, 'markerType' => 'nowiki' ];
 	}
 
 	/**