From: Ryan Schmidt Date: Sun, 19 Apr 2009 23:48:50 +0000 (+0000) Subject: Follow-up on r49330 X-Git-Tag: 1.31.0-rc.0~42101 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/supprimer.php?a=commitdiff_plain;h=54f5b23182ebd31de3f528ff5fec20d7bcbf0a30;p=lhc%2Fweb%2Fwiklou.git Follow-up on r49330 * re-add $wgRestrictDisplayTitle * revert r49610 * prevent block-level and other such tags from being used in DISPLAYTITLE (while still allowing tags such as and ) --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index e7a40438b1..7fa8aae9fc 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -26,15 +26,12 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * Added $wgNoFollowDomainExceptions to allow exempting particular domain names from rel="nofollow" on external links * (bug 12970) Brought back $wgUseImageResize. -* Added $wgRedirectOnLogin to allow specifying a page to redirect users to upon - logging in (for example, "Main Page") +* Added $wgRedirectOnLogin to allow specifying a specifc page to redirect users + to upon logging in (ex: "Main Page") * Add $wgExportFromNamespaces for enabling/disabling the "export all from namespace" option (disabled by default) * (bug 18222) $wgMinimalPasswordLength default is now 1 * $wgSessionHandler can be used to configure session.save_handler -* Removed $wgRestrictDisplayTitle, in effect permanently setting it to true. - Without this variable, the DISPLAYTITLE magic word will only accept titles - that are equivalent to the actual page title. === New features in 1.15 === diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 2684ef5087..b8f4426ffb 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3462,6 +3462,11 @@ $wgAjaxLicensePreview = true; */ $wgAllowDisplayTitle = true; +/** + * for consistency, restrict DISPLAYTITLE to titles that normalize to the same canonical DB key + */ +$wgRestrictDisplayTitle = true; + /** * Array of usernames which may not be registered or logged in from * Maintenance scripts can still use these diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 5d58b03655..79f42db372 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -338,9 +338,11 @@ class Sanitizer { * @param string $text * @param callback $processCallback to do any variable or parameter replacements in HTML attribute values * @param array $args for the processing callback + * @param array $extratags for any extra tags to include + * @param array $removetags for any tags (default or extra) to exclude * @return string */ - static function removeHTMLtags( $text, $processCallback = null, $args = array(), $extratags = array() ) { + static function removeHTMLtags( $text, $processCallback = null, $args = array(), $extratags = array(), $removetags = array() ) { global $wgUseTidy; static $htmlpairs, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags, @@ -377,8 +379,10 @@ class Sanitizer { 'li', ); - $htmlsingleallowed = array_merge( $htmlsingle, $tabletags ); - $htmlelements = array_merge( $htmlsingle, $htmlpairs, $htmlnest ); + $htmlsingleallowed = array_unique( array_merge( $htmlsingle, $tabletags ) ); + # Only allow elements that aren't specified in $removetags + # Doing it here since this is the top-level check + $htmlelements = array_diff( array_unique( array_merge( $htmlsingle, $htmlpairs, $htmlnest ) ), $removetags ); # Convert them all to hashtables for faster lookup $vars = array( 'htmlpairs', 'htmlsingle', 'htmlsingleonly', 'htmlnest', 'tabletags', diff --git a/includes/parser/CoreParserFunctions.php b/includes/parser/CoreParserFunctions.php index 8f528eca0e..b1d70bab85 100644 --- a/includes/parser/CoreParserFunctions.php +++ b/includes/parser/CoreParserFunctions.php @@ -236,13 +236,25 @@ class CoreParserFunctions { * @param string $text Desired title text * @return string */ - static function displaytitle( $parser, $displayTitle = '' ) { + static function displaytitle( $parser, $text = '' ) { + global $wgRestrictDisplayTitle; + + #list of disallowed tags for DISPLAYTITLE + #these will be escaped even though they are allowed in normal wiki text + $bad = array( 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'blockquote', 'ol', 'ul', 'li', + 'table', 'tr', 'th', 'td', 'dl', 'dd', 'caption', 'p', 'ruby', 'rb', 'rt', 'rp' ); + #only requested titles that normalize to the actual title are allowed through #mimic the escaping process that occurs in OutputPage::setPageTitle - $title = Title::newFromText( Sanitizer::stripAllTags( Sanitizer::normalizeCharReferences( Sanitizer::removeHTMLtags( $displayTitle ) ) ) ); + $text = Sanitizer::normalizeCharReferences( Sanitizer::removeHTMLtags( $text, null, array(), array(), $bad ) ); + $title = Title::newFromText( Sanitizer::stripAllTags( $text ) ); - if ( $title instanceof Title && $title->getFragment() == '' && $title->equals( $parser->mTitle ) ) { - $parser->mOutput->setDisplayTitle( $displayTitle ); + if( !$wgRestrictDisplayTitle ) { + $parser->mOutput->setDisplayTitle( $text ); + } else { + if ( $title instanceof Title && $title->getFragment() == '' && $title->equals( $parser->mTitle ) ) { + $parser->mOutput->setDisplayTitle( $text ); + } } return '';