class SearchHighlighter {
protected $mCleanWikitext = true;
+ /**
+ * @warning If you pass false to this constructor, then
+ * the caller is responsible for HTML escaping.
+ */
function __construct( $cleanupWikitext = true ) {
$this->mCleanWikitext = $cleanupWikitext;
}
if ( preg_match( $spat, $text, $matches, PREG_OFFSET_CAPTURE, $start ) ) {
$epat = '';
foreach ( $matches as $key => $val ) {
- if ( $key > 0 && $val[1] != - 1 ) {
+ if ( $key > 0 && $val[1] != -1 ) {
if ( $key == 2 ) {
// see if this is an image link
- $ns = substr( $val[0], 2, - 1 );
+ $ns = substr( $val[0], 2, -1 );
if ( $wgContLang->getNsIndex( $ns ) != NS_FILE ) {
break;
}
// $snippets = array_map( 'htmlspecialchars', $extended );
$snippets = $extended;
- $last = - 1;
+ $last = -1;
$extract = '';
foreach ( $snippets as $index => $line ) {
- if ( $last == - 1 ) {
+ if ( $last == -1 ) {
$extract .= $line; // first line
} elseif ( $last + 1 == $index
&& $offsets[$last] + strlen( $snippets[$last] ) >= strlen( $all[$last] )
$text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text );
$text = preg_replace( "/''/", "", $text );
+ // Note, the previous /<\/?[^>]+>/ is insufficient
+ // for XSS safety as the HTML tag can span multiple
+ // search results (T144845).
+ $text = Sanitizer::escapeHtmlAllowEntities( $text );
return $text;
}