dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
parser: Validate $length in padleft/padright parser functions
[lhc/web/wiklou.git] / includes / parser / CoreParserFunctions.php
diff --git a/includes/parser/CoreParserFunctions.php b/includes/parser/CoreParserFunctions.php
index bb0072c..0e30b3c 100644 (file)
--- a/includes/parser/CoreParserFunctions.php
+++ b/includes/parser/CoreParserFunctions.php
@@ -337,8 +337,8 @@ class CoreParserFunctions {
                // default
                $gender = User::getDefaultOption( 'gender' );
 
-               // allow prefix.
-               $title = Title::newFromText( $username );
+               // allow prefix and normalize (e.g. "*foo" -> "*foo" ).
+               $title = Title::newFromText( $username, NS_USER );
 
                if ( $title && $title->inNamespace( NS_USER ) ) {
                        $username = $title->getText();
@@ -830,7 +830,7 @@ class CoreParserFunctions {
                        $restrictions = $titleObject->getRestrictions( strtolower( $type ) );
                        # Title::getRestrictions returns an array, its possible it may have
                        # multiple values in the future
-                       return implode( $restrictions, ',' );
+                       return implode( ',', $restrictions );
                }
                return '';
        }
@@ -882,7 +882,7 @@ class CoreParserFunctions {
         * Unicode-safe str_pad with the restriction that $length is forced to be <= 500
         * @param Parser $parser
         * @param string $string
-        * @param int $length
+        * @param string $length
         * @param string $padding
         * @param int $direction
         * @return string
@@ -897,7 +897,12 @@ class CoreParserFunctions {
                }
 
                # The remaining length to add counts down to 0 as padding is added
-               $length = min( $length, 500 ) - mb_strlen( $string );
+               $length = min( (int)$length, 500 ) - mb_strlen( $string );
+               if ( $length <= 0 ) {
+                       // Nothing to add
+                       return $string;
+               }
+
                # $finalPadding is just $padding repeated enough times so that
                # mb_strlen( $string ) + mb_strlen( $finalPadding ) == $length
                $finalPadding = '';
@@ -930,7 +935,8 @@ class CoreParserFunctions {
         */
        public static function anchorencode( $parser, $text ) {
                $text = $parser->killMarkers( $text );
-               return (string)substr( $parser->guessSectionNameFromWikiText( $text ), 1 );
+               $section = (string)substr( $parser->guessSectionNameFromWikiText( $text ), 1 );
+               return Sanitizer::safeEncodeAttribute( $section );
        }
 
        public static function special( $parser, $text ) {
@@ -1004,10 +1010,10 @@ class CoreParserFunctions {
                if ( $argA == 'nowiki' ) {
                        // {{filepath: | option [| size] }}
                        $isNowiki = true;
-                       $parsedWidthParam = $parser->parseWidthParam( $argB );
+                       $parsedWidthParam = Parser::parseWidthParam( $argB );
                } else {
                        // {{filepath: [| size [|option]] }}
-                       $parsedWidthParam = $parser->parseWidthParam( $argA );
+                       $parsedWidthParam = Parser::parseWidthParam( $argA );
                        $isNowiki = ( $argB == 'nowiki' );
                }
 
@@ -1338,7 +1344,7 @@ class CoreParserFunctions {
                        foreach ( $sources[0] as $sourceTitle ) {
                                $names[] = $sourceTitle->getPrefixedText();
                        }
-                       return implode( $names, '|' );
+                       return implode( '|', $names );
                }
                return '';
        }
Wiklou, le Wiki du Wiklou