includes/OutputHandler.php

   1 <?php
   2 /**
   3  * Functions to be used with PHP's output buffer.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 /**
  24  * Standard output handler for use with ob_start
  25  *
  26  * @param string $s
  27  *
  28  * @return string
  29  */
  30 function wfOutputHandler( $s ) {
  31         global $wgDisableOutputCompression, $wgValidateAllHtml;
  32         $s = wfMangleFlashPolicy( $s );
  33         if ( $wgValidateAllHtml ) {
  34                 $headers = headers_list();
  35                 $isHTML = false;
  36                 foreach ( $headers as $header ) {
  37                         $parts = explode( ':', $header, 2 );
  38                         if ( count( $parts ) !== 2 ) {
  39                                 continue;
  40                         }
  41                         $name = strtolower( trim( $parts[0] ) );
  42                         $value = trim( $parts[1] );
  43                         if ( $name == 'content-type' && ( strpos( $value, 'text/html' ) === 0
  44                                 || strpos( $value, 'application/xhtml+xml' ) === 0 )
  45                         ) {
  46                                 $isHTML = true;
  47                                 break;
  48                         }
  49                 }
  50                 if ( $isHTML ) {
  51                         $s = wfHtmlValidationHandler( $s );
  52                 }
  53         }
  54         if ( !$wgDisableOutputCompression && !ini_get( 'zlib.output_compression' ) ) {
  55                 if ( !defined( 'MW_NO_OUTPUT_COMPRESSION' ) ) {
  56                         $s = wfGzipHandler( $s );
  57                 }
  58                 if ( !ini_get( 'output_handler' ) ) {
  59                         wfDoContentLength( strlen( $s ) );
  60                 }
  61         }
  62         return $s;
  63 }
  64
  65 /**
  66  * Get the "file extension" that some client apps will estimate from
  67  * the currently-requested URL.
  68  * This isn't on WebRequest because we need it when things aren't initialized
  69  * @private
  70  *
  71  * @return string
  72  */
  73 function wfRequestExtension() {
  74         /// @todo FIXME: this sort of dupes some code in WebRequest::getRequestUrl()
  75         if ( isset( $_SERVER['REQUEST_URI'] ) ) {
  76                 // Strip the query string...
  77                 list( $path ) = explode( '?', $_SERVER['REQUEST_URI'], 2 );
  78         } elseif ( isset( $_SERVER['SCRIPT_NAME'] ) ) {
  79                 // Probably IIS. QUERY_STRING appears separately.
  80                 $path = $_SERVER['SCRIPT_NAME'];
  81         } else {
  82                 // Can't get the path from the server? :(
  83                 return '';
  84         }
  85
  86         $period = strrpos( $path, '.' );
  87         if ( $period !== false ) {
  88                 return strtolower( substr( $path, $period ) );
  89         }
  90         return '';
  91 }
  92
  93 /**
  94  * Handler that compresses data with gzip if allowed by the Accept header.
  95  * Unlike ob_gzhandler, it works for HEAD requests too.
  96  *
  97  * @param string $s
  98  *
  99  * @return string
 100  */
 101 function wfGzipHandler( $s ) {
 102         if ( !function_exists( 'gzencode' ) ) {
 103                 wfDebug( __FUNCTION__ . "() skipping compression (gzencode unavailable)\n" );
 104                 return $s;
 105         }
 106         if ( headers_sent() ) {
 107                 wfDebug( __FUNCTION__ . "() skipping compression (headers already sent)\n" );
 108                 return $s;
 109         }
 110
 111         $ext = wfRequestExtension();
 112         if ( $ext == '.gz' || $ext == '.tgz' ) {
 113                 // Don't do gzip compression if the URL path ends in .gz or .tgz
 114                 // This confuses Safari and triggers a download of the page,
 115                 // even though it's pretty clearly labeled as viewable HTML.
 116                 // Bad Safari! Bad!
 117                 return $s;
 118         }
 119
 120         if ( wfClientAcceptsGzip() ) {
 121                 wfDebug( __FUNCTION__ . "() is compressing output\n" );
 122                 header( 'Content-Encoding: gzip' );
 123                 $s = gzencode( $s, 6 );
 124         }
 125
 126         // Set vary header if it hasn't been set already
 127         $headers = headers_list();
 128         $foundVary = false;
 129         foreach ( $headers as $header ) {
 130                 if ( substr( $header, 0, 5 ) == 'Vary:' ) {
 131                         $foundVary = true;
 132                         break;
 133                 }
 134         }
 135         if ( !$foundVary ) {
 136                 header( 'Vary: Accept-Encoding' );
 137                 global $wgUseXVO;
 138                 if ( $wgUseXVO ) {
 139                         header( 'X-Vary-Options: Accept-Encoding;list-contains=gzip' );
 140                 }
 141         }
 142         return $s;
 143 }
 144
 145 /**
 146  * Mangle flash policy tags which open up the site to XSS attacks.
 147  *
 148  * @param string $s
 149  *
 150  * @return string
 151  */
 152 function wfMangleFlashPolicy( $s ) {
 153         # Avoid weird excessive memory usage in PCRE on big articles
 154         if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $s ) ) {
 155                 return preg_replace( '/\<\s*cross-domain-policy\s*\>/i', '<NOT-cross-domain-policy>', $s );
 156         } else {
 157                 return $s;
 158         }
 159 }
 160
 161 /**
 162  * Add a Content-Length header if possible. This makes it cooperate with squid better.
 163  *
 164  * @param int $length
 165  */
 166 function wfDoContentLength( $length ) {
 167         if ( !headers_sent()
 168                 && isset( $_SERVER['SERVER_PROTOCOL'] )
 169                 && $_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.0'
 170         ) {
 171                 header( "Content-Length: $length" );
 172         }
 173 }
 174
 175 /**
 176  * Replace the output with an error if the HTML is not valid
 177  *
 178  * @param string $s
 179  *
 180  * @return string
 181  */
 182 function wfHtmlValidationHandler( $s ) {
 183
 184         $errors = '';
 185         if ( MWTidy::checkErrors( $s, $errors ) ) {
 186                 return $s;
 187         }
 188
 189         header( 'Cache-Control: no-cache' );
 190
 191         $out = Html::element( 'h1', null, 'HTML validation error' );
 192         $out .= Html::openElement( 'ul' );
 193
 194         $error = strtok( $errors, "\n" );
 195         $badLines = array();
 196         while ( $error !== false ) {
 197                 if ( preg_match( '/^line (\d+)/', $error, $m ) ) {
 198                         $lineNum = intval( $m[1] );
 199                         $badLines[$lineNum] = true;
 200                         $out .= Html::rawElement( 'li', null,
 201                                 Html::element( 'a', array( 'href' => "#line-{$lineNum}" ), $error ) ) . "\n";
 202                 }
 203                 $error = strtok( "\n" );
 204         }
 205
 206         $out .= Html::closeElement( 'ul' );
 207         $out .= Html::element( 'pre', null, $errors );
 208         $out .= Html::openElement( 'ol' ) . "\n";
 209         $line = strtok( $s, "\n" );
 210         $i = 1;
 211         while ( $line !== false ) {
 212                 $attrs = array();
 213                 if ( isset( $badLines[$i] ) ) {
 214                         $attrs['class'] = 'highlight';
 215                         $attrs['id'] = "line-$i";
 216                 }
 217                 $out .= Html::element( 'li', $attrs, $line ) . "\n";
 218                 $line = strtok( "\n" );
 219                 $i++;
 220         }
 221         $out .= Html::closeElement( 'ol' );
 222
 223         $style = <<<CSS
 224 .highlight { background-color: #ffc }
 225 li { white-space: pre }
 226 CSS;
 227
 228         $out = Html::htmlHeader( array( 'lang' => 'en', 'dir' => 'ltr' ) ) .
 229                 Html::rawElement( 'head', null,
 230                         Html::element( 'title', null, 'HTML validation error' ) .
 231                         Html::inlineStyle( $style ) ) .
 232                 Html::rawElement( 'body', null, $out ) .
 233                 Html::closeElement( 'html' );
 234
 235         return $out;
 236 }