$attribs = array();
foreach( $stripped as $attribute => $value ) {
$encAttribute = htmlspecialchars( $attribute );
-
- $encValue = htmlspecialchars( $value );
- # Templates and links may be expanded in later parsing,
- # creating invalid or dangerous output. Suppress this.
- $encValue = strtr( $encValue, array(
- '<' => '<', // This should never happen,
- '>' => '>', // we've received invalid input
- '"' => '"', // which should have been escaped.
- '{' => '{',
- '[' => '[',
- "''" => '''',
- 'ISBN' => 'ISBN',
- 'RFC' => 'RFC',
- 'PMID' => 'PMID',
- '|' => '|',
- '__' => '__',
- ) );
-
- # Stupid hack
- $encValue = preg_replace_callback(
- '/(' . wfUrlProtocols() . ')/',
- array( 'Sanitizer', 'armorLinksCallback' ),
- $encValue );
+ $encValue = Sanitizer::safeEncodeAttribute( $value );
$attribs[] = "$encAttribute=\"$encValue\"";
}
return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
}
+ /**
+ * Encode an attribute value for HTML output.
+ * @param $text
+ * @return HTML-encoded text fragment
+ */
+ function encodeAttribute( $text ) {
+ $encValue = htmlspecialchars( $text );
+
+ // Whitespace is normalized during attribute decoding,
+ // so if we've been passed non-spaces we must encode them
+ // ahead of time or they won't be preserved.
+ $encValue = strtr( $encValue, array(
+ "\n" => ' ',
+ "\r" => ' ',
+ "\t" => '	',
+ ) );
+
+ return $encValue;
+ }
+
+ /**
+ * Encode an attribute value for HTML tags, with extra armoring
+ * against further wiki processing.
+ * @param $text
+ * @return HTML-encoded text fragment
+ */
+ function safeEncodeAttribute( $text ) {
+ $encValue = Sanitizer::encodeAttribute( $text );
+
+ # Templates and links may be expanded in later parsing,
+ # creating invalid or dangerous output. Suppress this.
+ $encValue = strtr( $encValue, array(
+ '<' => '<', // This should never happen,
+ '>' => '>', // we've received invalid input
+ '"' => '"', // which should have been escaped.
+ '{' => '{',
+ '[' => '[',
+ "''" => '''',
+ 'ISBN' => 'ISBN',
+ 'RFC' => 'RFC',
+ 'PMID' => 'PMID',
+ '|' => '|',
+ '__' => '__',
+ ) );
+
+ # Stupid hack
+ $encValue = preg_replace_callback(
+ '/(' . wfUrlProtocols() . ')/',
+ array( 'Sanitizer', 'armorLinksCallback' ),
+ $encValue );
+ return $encValue;
+ }
+
/**
* Given a value escape it so that it can be used in an id attribute and
* return it, this does not validate the value however (see first link)
foreach( $pairs as $set ) {
$attribute = strtolower( $set[1] );
$value = Sanitizer::getTagAttributeCallback( $set );
+
+ // Normalize whitespace
+ $value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
+ $value = trim( $value );
+
+ // Decode character references
$attribs[$attribute] = Sanitizer::decodeCharReferences( $value );
}
return $attribs;
!! input
{{div style|" ><script>alert(document.cookie)</script>}}
!! result
-<div style="float: right; ">Magic div</div>
+<div style="float: right;">Magic div</div>
!! end
!! end
+
+!! article
+Template:Identity
+!! text
+{{{1}}}
+!! endarticle
+
+!! test
+Expansion of multi-line templates in attribute values (bug 6255)
+!! input
+<div style="background: {{identity|#00FF00}}">-</div>
+!! result
+<div style="background: #00FF00">-</div>
+
+!! end
+
+
+!! test
+Expansion of multi-line templates in attribute values (bug 6255 sanity check)
+!! input
+<div style="background:
+#00FF00">-</div>
+!! result
+<div style="background: #00FF00">-</div>
+
+!! end
+
+!! test
+Expansion of multi-line templates in attribute values (bug 6255 sanity check)
+!! input
+<div style="background: #00FF00">-</div>
+!! result
+<div style="background: #00FF00">-</div>
+
+!! end
+
###
### Parser hooks (see maintenance/parserTestsParserHook.php for the <tag> extension)
###
<table>
<u class="|">} >
-<br style="onmouseover='alert(document.cookie);' " />
+<br style="onmouseover='alert(document.cookie);'" />
MOVE YOUR MOUSE CURSOR OVER THIS TEXT
<tr>