Updated pear/net_smtp from 1.8.0 to 1.8.1

[lhc/web/wiklou.git] / includes / Html.php

diff --git a/includes/Html.php b/includes/Html.php
index dba4c67..0aea7ea 100644 (file)
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -255,6 +255,12 @@ class Html {
                // consistency and better compression.
                $element = strtolower( $element );
 
+               // Some people were abusing this by passing things like
+               // 'h1 id="foo" to $element, which we don't want.
+               if ( strpos( $element, ' ' ) !== false ) {
+                       wfWarn( __METHOD__ . " given element name with space '$element'" );
+               }
+
                // Remove invalid input types
                if ( $element == 'input' ) {
                        $validTypes = [
@@ -552,10 +558,13 @@ class Html {
        }
 
        /**
-        * Output a "<script>" tag with the given contents.
+        * Output an HTML script tag with the given contents.
         *
-        * @todo do some useful escaping as well, like if $contents contains
-        * literal "</script>" or (for XML) literal "]]>".
+        * It is unsupported for the contents to contain the sequence `<script` or `</script`
+        * (case-insensitive). This ensures the script can be terminated easily and consistently.
+        * It is the responsibility of the caller to avoid such character sequence by escaping
+        * or avoiding it. If found at run-time, the contents are replaced with a comment, and
+        * a warning is logged server-side.
         *
         * @param string $contents JavaScript
         * @param string|null $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
@@ -571,8 +580,9 @@ class Html {
                        }
                }
 
-               if ( preg_match( '/[<&]/', $contents ) ) {
-                       $contents = "/*<![CDATA[*/$contents/*]]>*/";
+               if ( preg_match( '/<\/?script/i', $contents ) ) {
+                       wfLogWarning( __METHOD__ . ': Illegal character sequence found in inline script.' );
+                       $contents = '/* ERROR: Invalid script */';
                }
 
                return self::rawElement( 'script', $attrs, $contents );
@@ -836,9 +846,14 @@ class Html {
                        // Value is provided by user, the name shown is localized for the user.
                        $options[$params['all']] = wfMessage( 'namespacesall' )->text();
                }
-               // Add all namespaces as options (in the content language)
-               $options +=
-                       MediaWikiServices::getInstance()->getContentLanguage()->getFormattedNamespaces();
+               if ( $params['in-user-lang'] ?? false ) {
+                       global $wgLang;
+                       $lang = $wgLang;
+               } else {
+                       $lang = MediaWikiServices::getInstance()->getContentLanguage();
+               }
+               // Add all namespaces as options
+               $options += $lang->getFormattedNamespaces();
 
                $optionsOut = [];
                // Filter out namespaces below 0 and massage labels
@@ -851,8 +866,7 @@ class Html {
                                // main we don't use "" but the user message describing it (e.g. "(Main)" or "(Article)")
                                $nsName = wfMessage( 'blanknamespace' )->text();
                        } elseif ( is_int( $nsId ) ) {
-                               $nsName = MediaWikiServices::getInstance()->getContentLanguage()->
-                                       convertNamespace( $nsId );
+                               $nsName = $lang->convertNamespace( $nsId );
                        }
                        $optionsOut[$nsId] = $nsName;
                }