* @package MediaWiki
*/
+require_once( 'Sanitizer.php' );
+
/**
* Update this version number when the ParserOutput format
* changes in an incompatible way, so the parser cache
function clearState() {
$this->mOutput = new ParserOutput;
$this->mAutonumber = 0;
- $this->mLastSection = "";
+ $this->mLastSection = '';
$this->mDTopen = false;
$this->mVariables = false;
$this->mIncludeCount = array();
* to internalParse() which does all the real work.
*
* @access private
+ * @param string $text Text we want to parse
+ * @param Title &$title A title object
+ * @param array $options
+ * @param boolean $linestart
+ * @param boolean $clearState
* @return ParserOutput a ParserOutput
*/
function parse( $text, &$title, $options, $linestart = true, $clearState = true ) {
# only if there is something before the space
'/(.) (?=\\?|:|;|!|\\302\\273)/i' => '\\1 \\2',
# french spaces, Guillemet-right
- "/(\\302\\253) /i"=>"\\1 ",
+ '/(\\302\\253) /i' => '\\1 ',
'/<hr *>/i' => '<hr />',
'/<br *>/i' => '<br />',
'/<center *>/i' => '<div class="center">',
return $rnd;
}
- /**
- * Return allowed HTML attributes
- *
- * @access private
- */
- function getHTMLattrs () {
- $htmlattrs = array( # Allowed attributes--no scripting, etc.
- 'title', 'align', 'lang', 'dir', 'width', 'height',
- 'bgcolor', 'clear', /* BR */ 'noshade', /* HR */
- 'cite', /* BLOCKQUOTE, Q */ 'size', 'face', 'color',
- /* FONT */ 'type', 'start', 'value', 'compact',
- /* For various lists, mostly deprecated but safe */
- 'summary', 'width', 'border', 'frame', 'rules',
- 'cellspacing', 'cellpadding', 'valign', 'char',
- 'charoff', 'colgroup', 'col', 'span', 'abbr', 'axis',
- 'headers', 'scope', 'rowspan', 'colspan', /* Tables */
- 'id', 'class', 'name', 'style' /* For CSS */
- );
- return $htmlattrs ;
- }
-
- /**
- * Remove non approved attributes and javascript in css
- *
- * @access private
- */
- function fixTagAttributes ( $t ) {
- if ( trim ( $t ) == '' ) return '' ; # Saves runtime ;-)
- $htmlattrs = $this->getHTMLattrs() ;
-
- # Strip non-approved attributes from the tag
- $t = preg_replace(
- '/(\\w+)(\\s*=\\s*([^\\s\">]+|\"[^\">]*\"))?/e',
- "(in_array(strtolower(\"\$1\"),\$htmlattrs)?(\"\$1\".((\"x\$3\" != \"x\")?\"=\$3\":'')):'')",
- $t);
-
- $t = str_replace ( '<></>' , '' , $t ) ; # This should fix bug 980557
-
- # Strip javascript "expression" from stylesheets. Brute force approach:
- # If anythin offensive is found, all attributes of the HTML tag are dropped
-
- if( preg_match(
- '/style\\s*=.*(expression|tps*:\/\/|url\\s*\().*/is',
- wfMungeToUtf8( $t ) ) )
- {
- $t='';
- }
-
- return trim ( $t ) ;
- }
-
/**
* interface with html tidy, used if $wgUseTidy = true
*
$indent_level = strlen( $matches[1] );
$t[$k] = "\n" .
str_repeat( '<dl><dd>', $indent_level ) .
- '<table ' . $this->fixTagAttributes ( $matches[2] ) . '>' ;
+ '<table' . Sanitizer::fixTagAttributes ( $matches[2], 'table' ) . '>' ;
array_push ( $td , false ) ;
array_push ( $ltd , '' ) ;
array_push ( $tr , false ) ;
array_push ( $tr , false ) ;
array_push ( $td , false ) ;
array_push ( $ltd , '' ) ;
- array_push ( $ltr , $this->fixTagAttributes ( $x ) ) ;
+ array_push ( $ltr , Sanitizer::fixTagAttributes ( $x, 'tr' ) ) ;
}
else if ( '|' == $fc || '!' == $fc || '|+' == substr ( $x , 0 , 2 ) ) { # Caption
# $x is a table row
if ( $fc != '+' )
{
$tra = array_pop ( $ltr ) ;
- if ( !array_pop ( $tr ) ) $z = '<tr '.$tra.">\n" ;
+ if ( !array_pop ( $tr ) ) $z = '<tr'.$tra.">\n" ;
array_push ( $tr , true ) ;
array_push ( $ltr , '' ) ;
}
}
if ( count ( $y ) == 1 )
$y = "{$z}<{$l}>{$y[0]}" ;
- else $y = $y = "{$z}<{$l} ".$this->fixTagAttributes($y[0]).">{$y[1]}" ;
+ else $y = $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($y[0], $l).">{$y[1]}" ;
$t[$k] .= $y ;
array_push ( $td , true ) ;
}
}
$t = implode ( "\n" , $t ) ;
- # $t = $this->removeHTMLtags( $t );
+ # $t = Sanitizer::removeHTMLtags( $t );
wfProfileOut( $fname );
return $t ;
}
$fname = 'Parser::internalParse';
wfProfileIn( $fname );
- $text = $this->removeHTMLtags( $text );
+ $text = Sanitizer::removeHTMLtags( $text );
$text = $this->replaceVariables( $text, $args );
$text = preg_replace( '/(^|\n)-----*/', '\\1<hr />', $text );
}
}
+ # Replace & from obsolete syntax with &.
+ # All HTML entities will be escaped by makeExternalLink()
+ # or maybeMakeImageLink()
+ $url = str_replace( '&', '&', $url );
+
# Process the trail (i.e. everything after this link up until start of the next link),
# replacing any non-bracketed links
$trail = $this->replaceFreeExternalLinks( $trail );
*
* @access private
*/
-
function replaceInternalLinks( $s ) {
global $wgLang, $wgContLang, $wgLinkCache;
global $wgDisableLangConversion;
$text = $this->replaceExternalLinks($text);
$text = $this->replaceInternalLinks($text);
- # replace the image with a link-holder so that replaceExternalLinks() can't mess with it
- $s .= $prefix . $this->insertStripItem( $sk->makeImageLinkObj( $nt, $text ), $this->mStripState ) . $trail;
+ # cloak any absolute URLs inside the image markup, so replaceExternalLinks() won't touch them
+ $s .= $prefix . str_replace('http://', 'http-noparse://', $sk->makeImageLinkObj( $nt, $text ) ) . $trail;
$wgLinkCache->addImageLinkObj( $nt );
wfProfileOut( "$fname-image" );
}
# Template cache array insertion
- $this->mTemplates[$part1] = $text;
+ if( $found ) {
+ $this->mTemplates[$part1] = $text;
+ }
}
}
$this->mTemplatePath[$part1] = 1;
$text = $this->strip( $text, $this->mStripState );
- $text = $this->removeHTMLtags( $text );
+ $text = Sanitizer::removeHTMLtags( $text );
$text = $this->replaceVariables( $text, $assocArgs );
# Resume the link cache and register the inclusion as a link
}
}
-
- /**
- * Cleans up HTML, removes dangerous tags and attributes, and
- * removes HTML comments
- * @access private
- */
- function removeHTMLtags( $text ) {
- global $wgUseTidy, $wgUserHtml;
- $fname = 'Parser::removeHTMLtags';
- wfProfileIn( $fname );
-
- if( $wgUserHtml ) {
- $htmlpairs = array( # Tags that must be closed
- 'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
- 'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
- 'strike', 'strong', 'tt', 'var', 'div', 'center',
- 'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
- 'ruby', 'rt' , 'rb' , 'rp', 'p', 'span'
- );
- $htmlsingle = array(
- 'br', 'hr', 'li', 'dt', 'dd'
- );
- $htmlnest = array( # Tags that can be nested--??
- 'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
- 'dl', 'font', 'big', 'small', 'sub', 'sup', 'span'
- );
- $tabletags = array( # Can only appear inside table
- 'td', 'th', 'tr'
- );
- } else {
- $htmlpairs = array();
- $htmlsingle = array();
- $htmlnest = array();
- $tabletags = array();
- }
-
- $htmlsingle = array_merge( $tabletags, $htmlsingle );
- $htmlelements = array_merge( $htmlsingle, $htmlpairs );
-
- $htmlattrs = $this->getHTMLattrs () ;
-
- # Remove HTML comments
- $text = $this->removeHTMLcomments( $text );
-
- $bits = explode( '<', $text );
- $text = array_shift( $bits );
- if(!$wgUseTidy) {
- $tagstack = array(); $tablestack = array();
- foreach ( $bits as $x ) {
- $prev = error_reporting( E_ALL & ~( E_NOTICE | E_WARNING ) );
- preg_match( '/^(\\/?)(\\w+)([^>]*)(\\/{0,1}>)([^<]*)$/',
- $x, $regs );
- list( $qbar, $slash, $t, $params, $brace, $rest ) = $regs;
- error_reporting( $prev );
-
- $badtag = 0 ;
- if ( in_array( $t = strtolower( $t ), $htmlelements ) ) {
- # Check our stack
- if ( $slash ) {
- # Closing a tag...
- if ( ! in_array( $t, $htmlsingle ) &&
- ( $ot = @array_pop( $tagstack ) ) != $t ) {
- @array_push( $tagstack, $ot );
- $badtag = 1;
- } else {
- if ( $t == 'table' ) {
- $tagstack = array_pop( $tablestack );
- }
- $newparams = '';
- }
- } else {
- # Keep track for later
- if ( in_array( $t, $tabletags ) &&
- ! in_array( 'table', $tagstack ) ) {
- $badtag = 1;
- } else if ( in_array( $t, $tagstack ) &&
- ! in_array ( $t , $htmlnest ) ) {
- $badtag = 1 ;
- } else if ( ! in_array( $t, $htmlsingle ) ) {
- if ( $t == 'table' ) {
- array_push( $tablestack, $tagstack );
- $tagstack = array();
- }
- array_push( $tagstack, $t );
- }
- # Strip non-approved attributes from the tag
- $newparams = $this->fixTagAttributes($params);
-
- }
- if ( ! $badtag ) {
- $rest = str_replace( '>', '>', $rest );
- $text .= "<$slash$t $newparams$brace$rest";
- continue;
- }
- }
- $text .= '<' . str_replace( '>', '>', $x);
- }
- # Close off any remaining tags
- while ( is_array( $tagstack ) && ($t = array_pop( $tagstack )) ) {
- $text .= "</$t>\n";
- if ( $t == 'table' ) { $tagstack = array_pop( $tablestack ); }
- }
- } else {
- # this might be possible using tidy itself
- foreach ( $bits as $x ) {
- preg_match( '/^(\\/?)(\\w+)([^>]*)(\\/{0,1}>)([^<]*)$/',
- $x, $regs );
- @list( $qbar, $slash, $t, $params, $brace, $rest ) = $regs;
- if ( in_array( $t = strtolower( $t ), $htmlelements ) ) {
- $newparams = $this->fixTagAttributes($params);
- $rest = str_replace( '>', '>', $rest );
- $text .= "<$slash$t $newparams$brace$rest";
- } else {
- $text .= '<' . str_replace( '>', '>', $x);
- }
- }
- }
- wfProfileOut( $fname );
- return $text;
- }
-
- /**
- * Remove '<!--', '-->', and everything between.
- * To avoid leaving blank lines, when a comment is both preceded
- * and followed by a newline (ignoring spaces), trim leading and
- * trailing spaces and one of the newlines.
- *
- * @access private
- */
- function removeHTMLcomments( $text ) {
- $fname='Parser::removeHTMLcomments';
- wfProfileIn( $fname );
- while (($start = strpos($text, '<!--')) !== false) {
- $end = strpos($text, '-->', $start + 4);
- if ($end === false) {
- # Unterminated comment; bail out
- break;
- }
-
- $end += 3;
-
- # Trim space and newline if the comment is both
- # preceded and followed by a newline
- $spaceStart = max($start - 1, 0);
- $spaceLen = $end - $spaceStart;
- while (substr($text, $spaceStart, 1) === ' ' && $spaceStart > 0) {
- $spaceStart--;
- $spaceLen++;
- }
- while (substr($text, $spaceStart + $spaceLen, 1) === ' ')
- $spaceLen++;
- if (substr($text, $spaceStart, 1) === "\n" and substr($text, $spaceStart + $spaceLen, 1) === "\n") {
- # Remove the comment, leading and trailing
- # spaces, and leave only one newline.
- $text = substr_replace($text, "\n", $spaceStart, $spaceLen + 1);
- }
- else {
- # Remove just the comment.
- $text = substr_replace($text, '', $start, $end - $start);
- }
- }
- wfProfileOut( $fname );
- return $text;
- }
-
/**
* This function accomplishes several tasks:
* 1) Auto-number headings if that option is enabled
*
* It loops through all headlines, collects the necessary data, then splits up the
* string and re-inserts the newly formatted headlines.
+ *
+ * @param string $text
+ * @param boolean $isMain
* @access private
*/
- /* private */ function formatHeadings( $text, $isMain=true ) {
- global $wgInputEncoding, $wgMaxTocLevel, $wgContLang, $wgLinkHolders;
+ function formatHeadings( $text, $isMain=true ) {
+ global $wgInputEncoding, $wgMaxTocLevel, $wgContLang, $wgLinkHolders, $wgInterwikiLinkHolders;
$doNumberHeadings = $this->mOptions->getNumberHeadings();
$doShowToc = $this->mOptions->getShowToc();
$canonized_headline = preg_replace( '/<!--LINK ([0-9]*)-->/e',
"\$wgLinkHolders['texts'][\$1]",
$canonized_headline );
+ $canonized_headline = preg_replace( '/<!--IWLINK ([0-9]*)-->/e',
+ "\$wgInterwikiLinkHolders[\$1]",
+ $canonized_headline );
# strip out HTML
$canonized_headline = preg_replace( '/<.*?' . '>/','',$canonized_headline );
function setSkin( &$x ) { $this->mSkin =& $x; }
- # Get parser options
- /* static */ function newFromUser( &$user ) {
+ /**
+ * Get parser options
+ * @static
+ */
+ function newFromUser( &$user ) {
$popts = new ParserOptions;
$popts->initialiseFromUser( $user );
return $popts;
}
- # Get user options
+ /** Get user options */
function initialiseFromUser( &$userInput ) {
global $wgUseTeX, $wgUseDynamicDates, $wgInterwikiMagic, $wgAllowExternalImages;
$fname = 'ParserOptions::initialiseFromUser';
$this->mShowToc = $user->getOption( 'showtoc' );
wfProfileOut( $fname );
}
-
-
}
/**
}
}
+/**
+ * Escape html tags
+ * Basicly replacing " > and < with HTML entities ( ", >, <)
+ *
+ * @param string $in Text that might contain HTML tags
+ * @return string Escaped string
+ */
function wfEscapeHTMLTagsOnly( $in ) {
return str_replace(
array( '"', '>', '<' ),