* @since 1.16
*/
class Html {
- // List of void elements from HTML5, section 8.1.2 as of 2011-08-12
+ // List of void elements from HTML5, section 8.1.2 as of 2016-09-19
private static $voidElements = [
'area',
'base',
'br',
'col',
- 'command',
'embed',
'hr',
'img',
'height' => '150',
'width' => '300',
],
- 'command' => [ 'type' => 'command' ],
'form' => [
'action' => 'GET',
'autocomplete' => 'on',
* @return string Raw HTML
*/
public static function inlineStyle( $contents, $media = 'all' ) {
+ // Don't escape '>' since that is used
+ // as direct child selector.
+ // Remember, in css, there is no "x" for hexadecimal escapes, and
+ // the space immediately after an escape sequence is swallowed.
+ $contents = strtr( $contents, [
+ '<' => '\3C ',
+ // CDATA end tag for good measure, but the main security
+ // is from escaping the '<'.
+ ']]>' => '\5D\5D\3E '
+ ] );
+
if ( preg_match( '/[<&]/', $contents ) ) {
$contents = "/*<![CDATA[*/$contents/*]]>*/";
}