* Rewritten removeUnusedAccounts to be more efficient, print names of inactive
accounts
* Redirect Special:Userlist to Special:Listusers
+* Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files
+ bearing the image/svg MIME type. Disabled by default due to the vast majority of
+ web servers being hideously misconfigured. See DefaultSettings.php for more details.
== Compatibility ==
*/
$wgReservedUsernames = array( 'MediaWiki default', 'Conversion script' );
+/**
+ * MediaWiki will reject HTMLesque tags in uploaded files due to idiotic browsers which can't
+ * perform basic stuff like MIME detection and which are vulnerable to further idiots uploading
+ * crap files as images. When this directive is on, <title> will be allowed in files with
+ * an "image/svg" MIME type. You should leave this disabled if your web server is misconfigured
+ * and doesn't send appropriate MIME types for SVG images.
+ */
+$wgAllowTitlesInSVG = false;
+
?>
* @return bool true if the file contains something looking like embedded scripts
*/
function detectScript($file,$mime) {
+ global $wgAllowTitlesInSVG;
#ugly hack: for text files, always look at the entire file.
#For binarie field, just check the first K.
'<img',
'<pre',
'<script', #also in safari
- '<table',
- '<title' #also in safari
+ '<table'
);
+ if( $mime != 'image/svg' || !$wgAllowTitlesInSVG )
+ $tags[] = '<title';
foreach( $tags as $tag ) {
if( false !== strpos( $chunk, $tag ) ) {