From 2fcb5285c31edf8c5dd2f15fbe819d0dcd857893 Mon Sep 17 00:00:00 2001
From: Ilmari Karonen
Date: Tue, 18 Jan 2011 19:39:13 +0000
Subject: [PATCH] bug 26781: make wfEscapeWikiText() escape "*", "#", ";" and
":" at the beginning of the output and after line feeds. Also make escaping
of "{", "}" and "=" more thorough and rewrite to use strtr() instead of
str_replace() and htmlspecialchars().
---
RELEASE-NOTES | 1 +
includes/GlobalFunctions.php | 21 ++++++++++-----------
tests/parser/parserTests.txt | 22 ++++++++++++++++++++++
3 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 423d0515a0..53c7df3b1b 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -98,6 +98,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
* (bug 26449) Keep underlines from headings outside of tables and thumbs by
adding overflow:hidden to h1,h2,h3,h4,h5,h6 (also fixes editsection bunching).
* (bug 26708) Remove background-color:white from tables in Monobook and Vector.
+* (bug 26781) {{PAGENAME}} and related parser functions escape their output better
=== API changes in 1.18 ===
* (bug 26339) Throw warning when truncating an overlarge API result
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index d6d6a16765..8ad029ba6f 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -1149,21 +1149,20 @@ function wfCheckLimits( $deflimit = 50, $optionname = 'rclimit' ) {
* Escapes the given text so that it may be output using addWikiText()
* without any linking, formatting, etc. making its way through. This
* is achieved by substituting certain characters with HTML entities.
- * As required by the callers, is not used. It currently does
- * not filter out characters which have special meaning only at the
- * start of a line, such as "*".
+ * As required by the callers, is not used.
*
* @param $text String: text to be escaped
*/
function wfEscapeWikiText( $text ) {
- $text = str_replace(
- array( '[', '|', ']', '\'', 'ISBN ',
- 'RFC ', '://', "\n=", '{{', '}}' ),
- array( '[', '|', ']', ''', 'ISBN ',
- 'RFC ', '://', "\n=", '{{', '}}' ),
- htmlspecialchars( $text )
- );
- return $text;
+ $text = strtr( "\n$text", array(
+ '"' => '"', '&' => '&', "'" => ''', '<' => '<',
+ '=' => '=', '>' => '>', '[' => '[', ']' => ']',
+ '{' => '{', '|' => '|', '}' => '}',
+ "\n#" => "\n#", "\n*" => "\n*",
+ "\n:" => "\n:", "\n;" => "\n;",
+ '://' => '://', 'ISBN ' => 'ISBN ', 'RFC ' => 'RFC ',
+ ) );
+ return substr( $text, 1 );
}
/**
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 5736d8cbe3..08d83af601 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -2226,6 +2226,28 @@ title=[[User:Ãvar Arnfjörð Bjarmason]]
!! end
+!! test
+Magic Word: {{PAGENAME}} with metacharacters
+!! options
+title=[['foo & bar = baz']]
+!! input
+''{{PAGENAME}}''
+!! result
+'foo & bar = baz'
+
+!! end
+
+!! test
+Magic Word: {{PAGENAME}} with metacharacters (bug 26781)
+!! options
+title=[[*RFC 1234 http://example.com/]]
+!! input
+{{PAGENAME}}
+!! result
+*RFC 1234 http://example.com/
+
+!! end
+
!! test
Magic Word: {{PAGENAMEE}}
!! options
--
2.20.1