* escaped!
* @return string Raw HTML
*/
- public static function element( $element, $attribs = array(), $contents = '' ) {
+ public static function rawElement( $element, $attribs = array(), $contents = '' ) {
global $wgWellFormedXml;
$element = strtolower( $element );
$start = "<$element" . self::expandAttributes( $attribs );
}
}
+ /**
+ * Identical to rawElement(), but HTML-escapes $contents.
+ */
+ public static function element( $element, $attribs = array(), $contents = '' ) {
+ return self::rawElement( $element, $attribs, htmlspecialchars( $contents ) );
+ }
+
/**
* Given an associative array of element attributes, generate a string
* to stick after the element name in HTML output. Like array( 'href' =>
* escaping as well, like if $contents contains literal '</script>' or (for
* XML) literal "]]>".
*
+ * Note that $contents will not be escaped, since JS may legitimately
+ * contain unescaped characters like "<". Make sure you don't output
+ * untrusted user input here!
+ *
* @param $contents string JavaScript
* @return string Raw HTML
*/
$attrs['type'] = $wgJsMimeType;
$contents = "/*<![CDATA[*/$contents/*]]>*/";
}
- return self::element( 'script', $attrs, $contents );
+ return self::rawElement( 'script', $attrs, $contents );
}
/**
* (if any). TODO: do some useful escaping as well, like if $contents
* contains literal '</style>' (admittedly unlikely).
*
+ * Note that $contents will not be escaped, since CSS may legitimately
+ * contain unescaped characters like "<". Make sure you don't output
+ * untrusted user input here!
+ *
* @param $contents string CSS
* @param $media mixed A media type string, like 'screen', or null for all
* media
if ( $media !== null ) {
$attrs['media'] = $media;
}
- return self::element( 'style', $attrs, $contents );
+ return self::rawElement( 'style', $attrs, $contents );
}
/**