Prudency measure: only enable $wgRawHtml usage if $wgWhitelistEdit is on.

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 6dc5caf..e03022b 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -613,9 +613,9 @@ $wgGoToEdit = false;
 $wgUserHtml = true;
 
 # Allow raw, unchecked HTML in <html>...</html> sections.
-# THIS IS VERY DANGEROUS on a publically editable site.
-# Don't enable it unless you've restricted editing to trusted
-# users only.
+# THIS IS VERY DANGEROUS on a publically editable site, so
+# you can't enable it unless you've restricted editing to
+# trusted users only with $wgWhitelistEdit.
 $wgRawHtml = false;
 
 # $wgUseTidy: use tidy to make sure HTML output is sane.

diff --git a/includes/Parser.php b/includes/Parser.php
index 6b7bb46..0d1d4b7 100644 (file)
--- a/includes/Parser.php
+++ b/includes/Parser.php
@@ -53,6 +53,7 @@ define( 'STRIP_COMMENTS', 'HTMLCommentStrip' );
 
 # prefix for escaping, used in two functions at least
 define( 'UNIQ_PREFIX', 'NaodW29');
+#define( 'UNIQ_PREFIX', "\x07NaodW29");
 
 # Constants needed for external link processing
 define( 'URL_PROTOCOLS', 'http|https|ftp|irc|gopher|news|mailto' );
@@ -240,8 +241,8 @@ class Parser
                #$text = str_replace( $uniq_prefix, wfHtmlEscapeFirst( $uniq_prefix ), $text );
 
                # html
-               global $wgRawHtml;
-               if( $wgRawHtml ) {
+               global $wgRawHtml, $wgWhitelistEdit;
+               if( $wgRawHtml && $wgWhitelistEdit ) {
                        $text = Parser::extractTags('html', $text, $html_content, $uniq_prefix);
                        foreach( $html_content as $marker => $content ) {
                                if ($render ) {