Fix various phpcs error from last security patches

[lhc/web/wiklou.git] / includes / parser / CoreTagHooks.php

diff --git a/includes/parser/CoreTagHooks.php b/includes/parser/CoreTagHooks.php
index d4c4f6d..c943b7c 100644 (file)
--- a/includes/parser/CoreTagHooks.php
+++ b/includes/parser/CoreTagHooks.php
@@ -56,9 +56,14 @@ class CoreTagHooks {
                $content = StringUtils::delimiterReplace( '<nowiki>', '</nowiki>', '$1', $text, 'i' );
 
                $attribs = Sanitizer::validateTagAttributes( $attribs, 'pre' );
-               return Xml::openElement( 'pre', $attribs ) .
-                       Xml::escapeTagsOnly( $content ) .
-                       '</pre>';
+               // We need to let both '"' and '&' through,
+               // for strip markers and entities respectively.
+               $content = str_replace(
+                       [ '>', '<' ],
+                       [ '&gt;', '&lt;' ],
+                       $content
+               );
+               return Html::rawElement( 'pre', $attribs, $content );
        }
 
        /**
@@ -98,8 +103,17 @@ class CoreTagHooks {
         * @return array
         */
        public static function nowiki( $content, $attributes, $parser ) {
-               $content = strtr( $content, [ '-{' => '-&#123;', '}-' => '&#125;-' ] );
-               return [ Xml::escapeTagsOnly( $content ), 'markerType' => 'nowiki' ];
+               $content = strtr( $content, [
+                       // lang converter
+                       '-{' => '-&#123;',
+                       '}-' => '&#125;-',
+                       // html tags
+                       '<' => '&lt;',
+                       '>' => '&gt;'
+                       // Note: Both '"' and '&' are not converted.
+                       // This allows strip markers and entities through.
+               ] );
+               return [ $content, 'markerType' => 'nowiki' ];
        }
 
        /**