We have a utility function for this, so let's use it.
What I don't understand though is why Sanitizer uses custom PHP implementations
for both tag stripping and entity decoding, instead of the built-in functions.
If there's a security reason for this or the built-ins are inadequate, that's
fine, but then that should be documented (and we should possibly ban usage
of the built-ins).
Change-Id: I2ba2ecd388cb3d9cd2360ecaa236f3d444f0eabf
$ret = preg_replace( '!</?(var|kbd|samp|code)>!', '"', $text );
// Strip tags and decode.
$ret = preg_replace( '!</?(var|kbd|samp|code)>!', '"', $text );
// Strip tags and decode.
- $ret = html_entity_decode( strip_tags( $ret ), ENT_QUOTES | ENT_HTML5 );
+ $ret = Sanitizer::stripAllTags( $ret );
// customizations, and make a basic attempt to turn markup into text.
$msg = $this->getMessageObject()->inLanguage( 'en' )->useDatabase( false )->text();
$msg = preg_replace( '!</?(var|kbd|samp|code)>!', '"', $msg );
// customizations, and make a basic attempt to turn markup into text.
$msg = $this->getMessageObject()->inLanguage( 'en' )->useDatabase( false )->text();
$msg = preg_replace( '!</?(var|kbd|samp|code)>!', '"', $msg );
- $msg = html_entity_decode( strip_tags( $msg ), ENT_QUOTES | ENT_HTML5 );
+ $msg = Sanitizer::stripAllTags( $msg );
parent::__construct( $msg, $code, $previous );
}
parent::__construct( $msg, $code, $previous );
}
$text = preg_replace( '/<a href="(.*?)".*?>(.*?)<\/a>/', '$2 <$1>', $text );
$text = preg_replace( '/<a href="(.*?)".*?>(.*?)<\/a>/', '$2 <$1>', $text );
- return html_entity_decode( strip_tags( $text ), ENT_QUOTES );
+ return Sanitizer::stripAllTags( $text );
* @return Array Tag data
*/
protected function buildChangeTagList() {
* @return Array Tag data
*/
protected function buildChangeTagList() {
- function stripAllHtml( $input ) {
- return trim( html_entity_decode( strip_tags( $input ) ) );
- }
-
$explicitlyDefinedTags = array_fill_keys( ChangeTags::listExplicitlyDefinedTags(), 0 );
$softwareActivatedTags = array_fill_keys( ChangeTags::listSoftwareActivatedTags(), 0 );
$tagStats = ChangeTags::tagUsageStatistics();
$explicitlyDefinedTags = array_fill_keys( ChangeTags::listExplicitlyDefinedTags(), 0 );
$softwareActivatedTags = array_fill_keys( ChangeTags::listSoftwareActivatedTags(), 0 );
$tagStats = ChangeTags::tagUsageStatistics();
$result[] = [
'name' => $tagName,
$result[] = [
'name' => $tagName,
- 'label' => stripAllHtml( ChangeTags::tagDescription( $tagName, $this->getContext() ) ),
- 'description' => $desc ? stripAllHtml( $desc->parse() ) : '',
+ 'label' => Sanitizer::stripAllTags(
+ ChangeTags::tagDescription( $tagName, $this->getContext() )
+ ),
+ 'description' => $desc ? Sanitizer::stripAllTags( $desc->parse() ) : '',
'cssClass' => Sanitizer::escapeClass( 'mw-tag-' . $tagName ),
'hits' => $hits,
];
'cssClass' => Sanitizer::escapeClass( 'mw-tag-' . $tagName ),
'hits' => $hits,
];