* (bug 8859) Database::update should take array of tables too
* (bug 19698) Inverse selection for Special:Contributions
* (bug 24037) Add byte length of revision to Special:Contributions
+* (bug 1672) Added $wgDisableUploadScriptChecks to allow uploading of files
+ containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS.
=== Bug fixes in 1.19 ===
* $wgUploadNavigationUrl should be used for file redlinks if
*/
$wgStrictFileExtensions = true;
+/**
+ * Setting this to true will disable the upload system's checks for HTML/JavaScript.
+ * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions
+ * TO RESTRICT UPLOADING to only those that you trust
+ */
+$wgDisableUploadScriptChecks = false;
+
/** Warn if uploaded files are larger than this (in bytes), or false to disable*/
$wgUploadSizeWarning = false;
$wgDebugTidy = false;
/** Allow raw, unchecked HTML in <html>...</html> sections.
- * THIS IS VERY DANGEROUS on a publically editable site, so USE wgGroupPermissions
+ * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions
* TO RESTRICT EDITING to only those that you trust
*/
$wgRawHtml = false;
* @return mixed true of the file is verified, array otherwise.
*/
protected function verifyFile() {
- global $wgAllowJavaUploads;
+ global $wgAllowJavaUploads, $wgDisableUploadScriptChecks;
# get the title, even though we are doing nothing with it, because
# we need to populate mFinalExtension
$this->getTitle();
}
# check for htmlish code and javascript
- if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) {
- return array( 'uploadscripted' );
- }
- if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) {
- if( $this->detectScriptInSvg( $this->mTempPath ) ) {
+ if ( !$wgDisableUploadScriptChecks ) {
+ if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) {
return array( 'uploadscripted' );
}
+ if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) {
+ if( $this->detectScriptInSvg( $this->mTempPath ) ) {
+ return array( 'uploadscripted' );
+ }
+ }
}
# Check for Java applets, which if uploaded can bypass cross-site