From 9b510882d79549bdc6be3b89d10f67d3f6c5da2d Mon Sep 17 00:00:00 2001
From: Arlo Breault <abreault@wikimedia.org>
Date: Fri, 5 Feb 2016 08:00:56 -0800
Subject: [PATCH] Don't replace !! in elements

 * 55313f4e almost got it right, but missed the str_replacing table
   headings.

 * Thankfully, this was doubly broken before that patch since the
   StringUtils::explodeMarkup would have skipped the || which would
   go on to be explode by table cell attribute parsing. The test case
   provided would look like,

   <table>
   <tr>
   <th class="">|">ha</div> ho
   </th></tr></table>

   Suffice it to say, noone is using this in production.

 * Note that we can't just entity encode the ! since that would break
   style attributes with !important.

 * Also note, Parsoid already gets this right.

 * Adds a StringUtils::replaceMarkup

Change-Id: Iab3ae4518fcb307b795d57eece420ba48af0a3bf
---
 includes/libs/StringUtils.php | 25 +++++++++++++++++++++++++
 includes/parser/Parser.php    |  2 +-
 tests/parser/parserTests.txt  | 18 ++++++++++++++++++
 3 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/includes/libs/StringUtils.php b/includes/libs/StringUtils.php
index d2226b6daa..057495ee97 100644
--- a/includes/libs/StringUtils.php
+++ b/includes/libs/StringUtils.php
@@ -288,6 +288,31 @@ class StringUtils {
 		return $items;
 	}
 
+	/**
+	 * More or less "markup-safe" str_replace()
+	 * Ignores any instances of the separator inside `<...>`
+	 * @param string $search
+	 * @param string $replace
+	 * @param string $text
+	 * @return string
+	 */
+	static function replaceMarkup( $search, $replace, $text ) {
+		$placeholder = "\x00";
+
+		// Remove placeholder instances
+		$text = str_replace( $placeholder, '', $text );
+
+		// Replace instances of the separator inside HTML-like tags with the placeholder
+		$replacer = new DoubleReplacer( $search, $placeholder );
+		$cleaned = StringUtils::delimiterReplaceCallback( '<', '>', $replacer->cb(), $text );
+
+		// Explode, then put the replaced separators back in
+		$cleaned = str_replace( $search, $replace, $cleaned );
+		$text = str_replace( $placeholder, $search, $cleaned );
+
+		return $text;
+	}
+
 	/**
 	 * Escape a string to make it suitable for inclusion in a preg_replace()
 	 * replacement parameter.
diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 5ee0c5a6a1..d2e4bf0b61 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1115,7 +1115,7 @@ class Parser {
 
 				// Implies both are valid for table headings.
 				if ( $first_character === '!' ) {
-					$line = str_replace( '!!', '||', $line );
+					$line = StringUtils::replaceMarkup( '!!', '||', $line );
 				}
 
 				# Split up multiple cells on the same line.
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 691113db66..23bdbde92f 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -6333,6 +6333,24 @@ parsoid=wt2html,html2html
 <td data-parsoid='{"startTagSrc":"| ","attrSepSrc":"|","autoInsertedEnd":true}'><a rel="mw:ExtLink" href="ftp://|x||"></a>" onmouseover="alert(document.cookie)">test</td></tr></tbody></table>
 !! end
 
+!! test
+Element attributes with double ! should not be broken up by <th>
+!! wikitext
+{|
+! hi <div class="!!">ha</div> ho
+|}
+!! html/php
+<table>
+<tr>
+<th> hi <div class="!!">ha</div> ho
+</th></tr></table>
+
+!! html/parsoid
+<table>
+<tbody><tr><th> hi <div class="!!" data-parsoid='{"stx":"html"}'>ha</div> ho</th></tr>
+</tbody></table>
+!! end
+
 !! test
 ! and || in element attributes should not be parsed as <th>/<td>
 !! wikitext
-- 
2.20.1