X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2Fparser%2FSanitizer.php;h=f76e3a9c5d85b18e18487206b992d9fe1c5d06d9;hp=f8c3bc2c72fa2feeb6617c5d007fce0bc682d0fb;hb=214b37ff07f3fde89430297b2a857750a56ae205;hpb=0770f85a0a293e6c7af6f1d3d3a1dbd2d13c1e09

diff --git a/includes/parser/Sanitizer.php b/includes/parser/Sanitizer.php
index f8c3bc2c72..f76e3a9c5d 100644
--- a/includes/parser/Sanitizer.php
+++ b/includes/parser/Sanitizer.php
@@ -578,10 +578,8 @@ class Sanitizer {
 									$badtag = true;
 								}
 							}
-						} else {
-							if ( $t == 'table' ) {
-								$tagstack = array_pop( $tablestack );
-							}
+						} elseif ( $t == 'table' ) {
+							$tagstack = array_pop( $tablestack );
 						}
 						$newparams = '';
 					} else {
@@ -1075,6 +1073,7 @@ class Sanitizer {
 				| image\s*\(
 				| image-set\s*\(
 				| attr\s*\([^)]+[\s,]+url
+				| var\s*\(
 			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
@@ -1375,20 +1374,14 @@ class Sanitizer {
 
 	/**
 	 * Given a string containing a space delimited list of ids, escape each id
-	 * to match ids escaped by the escapeId() function.
-	 *
-	 * @todo remove $options completely in 1.32
+	 * to match ids escaped by the escapeIdForAttribute() function.
 	 *
 	 * @since 1.27
 	 *
 	 * @param string $referenceString Space delimited list of ids
-	 * @param string|array $options Deprecated and does nothing.
 	 * @return string
 	 */
-	static function escapeIdReferenceList( $referenceString, $options = [] ) {
-		if ( $options ) {
-			wfDeprecated( __METHOD__ . ' with $options', '1.31' );
-		}
+	public static function escapeIdReferenceList( $referenceString ) {
 		# Explode the space delimited list string into an array of tokens
 		$references = preg_split( '/\s+/', "{$referenceString}", -1, PREG_SPLIT_NO_EMPTY );
 
@@ -1926,7 +1919,8 @@ class Sanitizer {
 			# such as <math> when it is rasterized, or if $wgAllowImageTag is
 			# true
 			'img'        => array_merge( $common, [ 'alt', 'src', 'width', 'height', 'srcset' ] ),
-
+			# Attributes for A/V tags added in T163583 / T133673
+			'audio'      => array_merge( $common, [ 'controls', 'preload', 'width', 'height' ] ),
 			'video'      => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ),
 			'source'     => array_merge( $common, [ 'type', 'src' ] ),
 			'track'      => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ),
@@ -1964,6 +1958,7 @@ class Sanitizer {
 
 			// HTML 5 section 4.5
 			'figure'     => $common,
+			'figure-inline' => $common, # T118520
 			'figcaption' => $common,
 
 			# HTML 5 section 4.6