var $mTemplateIds = array();
- /** Initialized with a global value. Let us override it.
- * Should probably get deleted / rewritten ... */
- var $mAllowUserJs;
+ # What level of 'untrustworthiness' is allowed in CSS/JS modules loaded on this page?
+ # @see ResourceLoaderModule::$origin
+ # ResourceLoaderModule::ORIGIN_ALL is assumed unless overridden;
+ protected $mAllowedModules = array(
+ ResourceLoaderModule::TYPE_COMBINED => ResourceLoaderModule::ORIGIN_ALL,
+ );
/**
* @EasterEgg I just love the name for this self documenting variable.
'Cookie' => null
);
- /**
- * Constructor
- * Initialise private variables
- */
- function __construct() {
- global $wgAllowUserJs;
- $this->mAllowUserJs = $wgAllowUserJs;
- }
-
/**
* Redirect to $url rather than displaying the normal page
*
return $this->mScripts . $this->getHeadItems();
}
+ /**
+ * Filter an array of modules to remove insufficiently trustworthy members
+ * @param $modules Array
+ * @return Array
+ */
+ protected function filterModules( $modules, $type = ResourceLoaderModule::TYPE_COMBINED ){
+ $resourceLoader = $this->getResourceLoader();
+ $filteredModules = array();
+ foreach( $modules as $val ){
+ $module = $resourceLoader->getModule( $val );
+ if( $module->getOrigin() <= $this->getAllowedModules( $type ) ) {
+ $filteredModules[] = $val;
+ }
+ }
+ return $filteredModules;
+ }
+
/**
* Get the list of modules to include on this page
*
+ * @param $filter Bool whether to filter out insufficiently trustworthy modules
* @return Array of module names
*/
- public function getModules() {
- return array_values( array_unique( $this->mModules ) );
+ public function getModules( $filter = false, $param = 'mModules' ) {
+ $modules = array_values( array_unique( $this->$param ) );
+ return $filter
+ ? $this->filterModules( $modules )
+ : $modules;
}
/**
* Get the list of module JS to include on this page
* @return array of module names
*/
- public function getModuleScripts() {
- return array_values( array_unique( $this->mModuleScripts ) );
+ public function getModuleScripts( $filter = false ) {
+ return $this->getModules( $filter, 'mModuleScripts' );
}
/**
*
* @return Array of module names
*/
- public function getModuleStyles() {
- return array_values( array_unique( $this->mModuleStyles ) );
+ public function getModuleStyles( $filter = false ) {
+ return $this->getModules( $filter, 'mModuleStyles' );
}
/**
*
* @return Array of module names
*/
- public function getModuleMessages() {
- return array_values( array_unique( $this->mModuleMessages ) );
+ public function getModuleMessages( $filter = false ) {
+ return $this->getModules( $filter, 'mModuleMessages' );
}
/**
}
/**
- * Remove user JavaScript from scripts to load
+ * Do not allow scripts which can be modified by wiki users to load on this page;
+ * only allow scripts bundled with, or generated by, the software.
*/
public function disallowUserJs() {
- $this->mAllowUserJs = false;
+ $this->reduceAllowedModules(
+ ResourceLoaderModule::TYPE_SCRIPTS,
+ ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL
+ );
}
/**
* Return whether user JavaScript is allowed for this page
- *
+ * @deprecated @since 1.18 Load modules with ResourceLoader, and origin and
+ * trustworthiness is identified and enforced automagically.
* @return Boolean
*/
public function isUserJsAllowed() {
- return $this->mAllowUserJs;
+ return $this->getAllowedModules( ResourceLoaderModule::TYPE_SCRIPTS ) >= ResourceLoaderModule::ORIGIN_USER_INDIVIDUAL;
+ }
+
+ /**
+ * Show what level of JavaScript / CSS untrustworthiness is allowed on this page
+ * @see ResourceLoaderModule::$origin
+ * @param $type String ResourceLoaderModule TYPE_ constant
+ * @return Int ResourceLoaderModule ORIGIN_ class constant
+ */
+ public function getAllowedModules( $type ){
+ if( $type == ResourceLoaderModule::TYPE_COMBINED ){
+ return min( array_values( $this->mAllowedModules ) );
+ } else {
+ return isset( $this->mAllowedModules[$type] )
+ ? $this->mAllowedModules[$type]
+ : ResourceLoaderModule::ORIGIN_ALL;
+ }
+ }
+
+ /**
+ * Set the highest level of CSS/JS untrustworthiness allowed
+ * @param $type String ResourceLoaderModule TYPE_ constant
+ * @param $level Int ResourceLoaderModule class constant
+ */
+ public function setAllowedModules( $type, $level ){
+ $this->mAllowedModules[$type] = $level;
+ }
+
+ /**
+ * As for setAllowedModules(), but don't inadvertantly make the page more accessible
+ * @param $type String
+ * @param $level Int ResourceLoaderModule class constant
+ */
+ public function reduceAllowedModules( $type, $level ){
+ $this->mAllowedModules[$type] = min( $this->getAllowedModules($type), $level );
}
/**
* TODO: Document
* @param $skin Skin
* @param $modules Array/string with the module name
- * @param $only string May be styles, messages or scripts
+ * @param $only String ResourceLoaderModule TYPE_ class constant
* @param $useESI boolean
* @return string html <script> and <style> tags
*/
$resourceLoader = $this->getResourceLoader();
foreach ( (array) $modules as $name ) {
$module = $resourceLoader->getModule( $name );
+ # Check that we're allowed to include this module on this page
+ if( ( $module->getOrigin() > $this->getAllowedModules( ResourceLoaderModule::TYPE_SCRIPTS )
+ && $only == ResourceLoaderModule::TYPE_SCRIPTS )
+ || ( $module->getOrigin() > $this->getAllowedModules( ResourceLoaderModule::TYPE_STYLES )
+ && $only == ResourceLoaderModule::TYPE_STYLES )
+ )
+ {
+ continue;
+ }
+
$group = $module->getGroup();
if ( !isset( $groups[$group] ) ) {
$groups[$group] = array();
}
$groups[$group][$name] = $module;
}
+
$links = '';
foreach ( $groups as $group => $modules ) {
$query['modules'] = implode( '|', array_keys( $modules ) );
// Support inlining of private modules if configured as such
if ( $group === 'private' && $wgResourceLoaderInlinePrivateModules ) {
$context = new ResourceLoaderContext( $resourceLoader, new FauxRequest( $query ) );
- if ( $only == 'styles' ) {
+ if ( $only == ResourceLoaderModule::TYPE_STYLES ) {
$links .= Html::inlineStyle(
$resourceLoader->makeModuleResponse( $context, $modules )
);
$url = wfAppendQuery( $wgLoadScript, $query );
if ( $useESI && $wgResourceLoaderUseESI ) {
$esi = Xml::element( 'esi:include', array( 'src' => $url ) );
- if ( $only == 'styles' ) {
+ if ( $only == ResourceLoaderModule::TYPE_STYLES ) {
$links .= Html::inlineStyle( $esi );
} else {
$links .= Html::inlineScript( $esi );
}
} else {
// Automatically select style/script elements
- if ( $only === 'styles' ) {
+ if ( $only === ResourceLoaderModule::TYPE_STYLES ) {
$links .= Html::linkedStyle( wfAppendQuery( $wgLoadScript, $query ) ) . "\n";
} else {
$links .= Html::linkedScript( wfAppendQuery( $wgLoadScript, $query ) ) . "\n";
* @return String: HTML fragment
*/
function getHeadScripts( Skin $sk ) {
- global $wgUser, $wgRequest, $wgUseSiteJs;
+ global $wgUser, $wgRequest, $wgUseSiteJs, $wgAllowUserJs;
// Startup - this will immediately load jquery and mediawiki modules
- $scripts = $this->makeResourceLoaderLink( $sk, 'startup', 'scripts', true );
+ $scripts = $this->makeResourceLoaderLink( $sk, 'startup', ResourceLoaderModule::TYPE_SCRIPTS, true );
// Configuration -- This could be merged together with the load and go, but
// makeGlobalVariablesScript returns a whole script tag -- grumble grumble...
$scripts .= Skin::makeGlobalVariablesScript( $sk->getSkinName() ) . "\n";
// Script and Messages "only" requests
- $scripts .= $this->makeResourceLoaderLink( $sk, $this->getModuleScripts(), 'scripts' );
- $scripts .= $this->makeResourceLoaderLink( $sk, $this->getModuleMessages(), 'messages' );
+ $scripts .= $this->makeResourceLoaderLink( $sk, $this->getModuleScripts( true ), ResourceLoaderModule::TYPE_SCRIPTS );
+ $scripts .= $this->makeResourceLoaderLink( $sk, $this->getModuleMessages( true ), ResourceLoaderModule::TYPE_MESSAGES );
// Modules requests - let the client calculate dependencies and batch requests as it likes
- if ( $this->getModules() ) {
+ if ( $this->getModules( true ) ) {
$scripts .= Html::inlineScript(
ResourceLoader::makeLoaderConditionalScript(
- Xml::encodeJsCall( 'mediaWiki.loader.load', array( $this->getModules() ) ) .
+ Xml::encodeJsCall( 'mediaWiki.loader.load', array( $this->getModules( true ) ) ) .
Xml::encodeJsCall( 'mediaWiki.loader.go', array() )
)
) . "\n";
// Add site JS if enabled
if ( $wgUseSiteJs ) {
- $scripts .= $this->makeResourceLoaderLink( $sk, 'site', 'scripts' );
+ $scripts .= $this->makeResourceLoaderLink( $sk, 'site', ResourceLoaderModule::TYPE_SCRIPTS );
}
// Add user JS if enabled - trying to load user.options as a bundle if possible
$userOptionsAdded = false;
- if ( $this->isUserJsAllowed() && $wgUser->isLoggedIn() ) {
+ if ( $wgAllowUserJs && $wgUser->isLoggedIn() ) {
$action = $wgRequest->getVal( 'action', 'view' );
if( $this->mTitle && $this->mTitle->isJsSubpage() && $sk->userCanPreview( $action ) ) {
# XXX: additional security check/prompt?
$scripts .= Html::inlineScript( "\n" . $wgRequest->getText( 'wpTextbox1' ) . "\n" ) . "\n";
} else {
$scripts .= $this->makeResourceLoaderLink(
- $sk, array( 'user', 'user.options' ), 'scripts'
+ $sk, array( 'user', 'user.options' ), ResourceLoaderModule::TYPE_SCRIPTS
);
$userOptionsAdded = true;
}
}
if ( !$userOptionsAdded ) {
- $scripts .= $this->makeResourceLoaderLink( $sk, 'user.options', 'scripts' );
+ $scripts .= $this->makeResourceLoaderLink( $sk, 'user.options', ResourceLoaderModule::TYPE_SCRIPTS );
}
return $scripts;
// dynamically added styles to override statically added styles from other modules. So the order
// has to be other, dynamic, site, user
// Add statically added styles for other modules
- $ret .= $this->makeResourceLoaderLink( $sk, $styles['other'], 'styles' );
+ $ret .= $this->makeResourceLoaderLink( $sk, $styles['other'], ResourceLoaderModule::TYPE_STYLES );
// Add normal styles added through addStyle()/addInlineStyle() here
$ret .= implode( "\n", $this->buildCssLinksArray() ) . $this->mInlineStyles;
// Add marker tag to mark the place where the client-side loader should inject dynamic styles
$ret .= Html::element( 'meta', array( 'name' => 'ResourceLoaderDynamicStyles', 'content' => '' ) );
// Add site and user styles
$ret .= $this->makeResourceLoaderLink(
- $sk, array_merge( $styles['site'], $styles['user'] ), 'styles'
+ $sk, array_merge( $styles['site'], $styles['user'] ), ResourceLoaderModule::TYPE_STYLES
);
return $ret;
}