* Updated OOjs from v2.0.0 to v2.1.0.
* Updated OOUI from v0.21.1 to v0.23.0.
* Updated QUnit from v1.23.1 to v2.4.0.
+* Updated phpunit/phpunit from v4.8.35 to v4.8.36.
==== New external libraries ====
* The class \TestingAccessWrapper has been moved to the external library
possible for fallback images such as png.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does
not have the right to mark things patrolled.
-* …
=== New features in 1.31 ===
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support
joins with parentheses for grouping.
* As a first pass in standardizing dialog boxes across the MediaWiki product,
-Html class now provides helper methods for messageBox, successBox, errorBox and
-warningBox generation.
+ Html class now provides helper methods for messageBox, successBox, errorBox and
+ warningBox generation.
=== External library changes in 1.31 ===
==== Upgraded external libraries ====
-* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
+* …
==== New external libraries ====
* …
'mediawiki.viewport' module instead.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly instead.
-* …
=== Bug fixes in 1.31 ===
* (T90902) Non-breaking space in header ID breaks anchor
-* …
=== Action API changes in 1.31 ===
* …
* Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
* User::selectFields() → User::getQueryInfo()
* WikiPage::selectFields() → WikiPage::getQueryInfo()
- * Due to significant refactoring, method ContribsPager::getUserCond() that had
- no access restriction has been removed.
- * Revision::setUserIdAndName() was deprecated.
+* Due to significant refactoring, method ContribsPager::getUserCond() that had
+ no access restriction has been removed.
+* Revision::setUserIdAndName() was deprecated.
== Compatibility ==
MediaWiki 1.31 requires PHP 5.5.9 or later. There is experimental support for
return;
}
+// Pathinfo can be used for stupid things. We don't support it for api.php at
+// all, so error out if it's present.
+if ( isset( $_SERVER['PATH_INFO'] ) && $_SERVER['PATH_INFO'] != '' ) {
+ $correctUrl = wfAppendQuery( wfScript( 'api' ), $wgRequest->getQueryValues() );
+ $correctUrl = wfExpandUrl( $correctUrl, PROTO_CANONICAL );
+ header( "Location: $correctUrl", true, 301 );
+ echo 'This endpoint does not support "path info", i.e. extra text between "api.php"'
+ . 'and the "?". Remove any such text and try again.';
+ die( 1 );
+}
+
// Verify that the API has not been disabled
if ( !$wgEnableAPI ) {
header( $_SERVER['SERVER_PROTOCOL'] . ' 500 MediaWiki configuration Error', true, 500 );
'ComposerJson' => __DIR__ . '/includes/libs/composer/ComposerJson.php',
'ComposerLock' => __DIR__ . '/includes/libs/composer/ComposerLock.php',
'ComposerPackageModifier' => __DIR__ . '/includes/composer/ComposerPackageModifier.php',
+ 'ComposerVendorHtaccessCreator' => __DIR__ . '/includes/composer/ComposerVendorHtaccessCreator.php',
'ComposerVersionNormalizer' => __DIR__ . '/includes/composer/ComposerVersionNormalizer.php',
'CompressOld' => __DIR__ . '/maintenance/storage/compressOld.php',
'ConcatenatedGzipHistoryBlob' => __DIR__ . '/includes/HistoryBlob.php',
'SVGMetadataExtractor' => __DIR__ . '/includes/media/SVGMetadataExtractor.php',
'SVGReader' => __DIR__ . '/includes/media/SVGMetadataExtractor.php',
'SamplingStatsdClient' => __DIR__ . '/includes/libs/stats/SamplingStatsdClient.php',
- 'Sanitizer' => __DIR__ . '/includes/Sanitizer.php',
+ 'Sanitizer' => __DIR__ . '/includes/parser/Sanitizer.php',
'ScopedCallback' => __DIR__ . '/includes/compat/ScopedCallback.php',
'ScopedLock' => __DIR__ . '/includes/libs/lockmanager/ScopedLock.php',
'SearchApi' => __DIR__ . '/includes/api/SearchApi.php',
},
"autoload": {
"psr-0": {
- "ComposerHookHandler": "includes/composer"
+ "ComposerHookHandler": "includes/composer",
+ "ComposerVendorHtaccessCreator": "includes/composer"
},
"files": [
"includes/compat/Timestamp.php"
"fix": "phpcbf",
"pre-install-cmd": "ComposerHookHandler::onPreInstall",
"pre-update-cmd": "ComposerHookHandler::onPreUpdate",
+ "post-install-cmd": "ComposerVendorHtaccessCreator::onEvent",
+ "post-update-cmd": "ComposerVendorHtaccessCreator::onEvent",
"test": [
"composer lint",
"composer phpcs"
$wgOut->disable();
$mimetype = $this->contentType();
header( "Content-type: $mimetype; charset=UTF-8" );
+
+ // Set a sane filename
+ $exts = MimeMagic::singleton()->getExtensionsForType( $mimetype );
+ $ext = $exts ? strtok( $exts, ' ' ) : 'xml';
+ header( "Content-Disposition: inline; filename=\"feed.{$ext}\"" );
+
if ( $wgVaryOnXFP ) {
$wgOut->addVaryHeader( 'X-Forwarded-Proto' );
}
* @return string
*/
protected function replaceParameters( $message, $type = 'before', $format ) {
+ // A temporary marker for $1 parameters that is only valid
+ // in non-attribute contexts. However if the entire message is escaped
+ // then we don't want to use it because it will be mangled in all contexts
+ // and its unnessary as ->escaped() messages aren't html.
+ $marker = $format === self::FORMAT_ESCAPED ? '$' : '$\'"';
$replacementKeys = [];
foreach ( $this->parameters as $n => $param ) {
list( $paramType, $value ) = $this->extractParam( $param, $format );
- if ( $type === $paramType ) {
- $replacementKeys['$' . ( $n + 1 )] = $value;
+ if ( $type === 'before' ) {
+ if ( $paramType === 'before' ) {
+ $replacementKeys['$' . ( $n + 1 )] = $value;
+ } else /* $paramType === 'after' */ {
+ // To protect against XSS from replacing parameters
+ // inside html attributes, we convert $1 to $'"1.
+ // In the event that one of the parameters ends up
+ // in an attribute, either the ' or the " will be
+ // escaped, breaking the replacement and avoiding XSS.
+ $replacementKeys['$' . ( $n + 1 )] = $marker . ( $n + 1 );
+ }
+ } else {
+ if ( $paramType === 'after' ) {
+ $replacementKeys[$marker . ( $n + 1 )] = $value;
+ }
}
}
$message = strtr( $message, $replacementKeys );
* over to the tryUISubmit static method of this class.
*/
class Preferences {
- /** @var array */
- protected static $defaultPreferences = null;
-
/** @var array */
protected static $saveFilters = [
'timecorrection' => [ 'Preferences', 'filterTimezoneInput' ],
* @return array|null
*/
static function getPreferences( $user, IContextSource $context ) {
- if ( self::$defaultPreferences ) {
- return self::$defaultPreferences;
- }
-
OutputPage::setupOOUI(
strtolower( $context->getSkin()->getSkinName() ),
$context->getLanguage()->getDir()
Hooks::run( 'GetPreferences', [ $user, &$defaultPreferences ] );
self::loadPreferenceValues( $user, $context, $defaultPreferences );
- self::$defaultPreferences = $defaultPreferences;
return $defaultPreferences;
}
+++ /dev/null
-<?php
-/**
- * HTML sanitizer for %MediaWiki.
- *
- * Copyright © 2002-2005 Brion Vibber <brion@pobox.com> et al
- * https://www.mediawiki.org/
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- * http://www.gnu.org/copyleft/gpl.html
- *
- * @file
- * @ingroup Parser
- */
-
-/**
- * HTML sanitizer for MediaWiki
- * @ingroup Parser
- */
-class Sanitizer {
- /**
- * Regular expression to match various types of character references in
- * Sanitizer::normalizeCharReferences and Sanitizer::decodeCharReferences
- */
- const CHAR_REFS_REGEX =
- '/&([A-Za-z0-9\x80-\xff]+);
- |&\#([0-9]+);
- |&\#[xX]([0-9A-Fa-f]+);
- |(&)/x';
-
- /**
- * Acceptable tag name charset from HTML5 parsing spec
- * https://www.w3.org/TR/html5/syntax.html#tag-open-state
- */
- const ELEMENT_BITS_REGEX = '!^(/?)([A-Za-z][^\t\n\v />\0]*+)([^>]*?)(/?>)([^<]*)$!';
-
- /**
- * Blacklist for evil uris like javascript:
- * WARNING: DO NOT use this in any place that actually requires blacklisting
- * for security reasons. There are NUMEROUS[1] ways to bypass blacklisting, the
- * only way to be secure from javascript: uri based xss vectors is to whitelist
- * things that you know are safe and deny everything else.
- * [1]: http://ha.ckers.org/xss.html
- */
- const EVIL_URI_PATTERN = '!(^|\s|\*/\s*)(javascript|vbscript)([^\w]|$)!i';
- const XMLNS_ATTRIBUTE_PATTERN = "/^xmlns:[:A-Z_a-z-.0-9]+$/";
-
- /**
- * Tells escapeUrlForHtml() to encode the ID using the wiki's primary encoding.
- *
- * @since 1.30
- */
- const ID_PRIMARY = 0;
-
- /**
- * Tells escapeUrlForHtml() to encode the ID using the fallback encoding, or return false
- * if no fallback is configured.
- *
- * @since 1.30
- */
- const ID_FALLBACK = 1;
-
- /**
- * List of all named character entities defined in HTML 4.01
- * https://www.w3.org/TR/html4/sgml/entities.html
- * As well as ' which is only defined starting in XHTML1.
- */
- private static $htmlEntities = [
- 'Aacute' => 193,
- 'aacute' => 225,
- 'Acirc' => 194,
- 'acirc' => 226,
- 'acute' => 180,
- 'AElig' => 198,
- 'aelig' => 230,
- 'Agrave' => 192,
- 'agrave' => 224,
- 'alefsym' => 8501,
- 'Alpha' => 913,
- 'alpha' => 945,
- 'amp' => 38,
- 'and' => 8743,
- 'ang' => 8736,
- 'apos' => 39, // New in XHTML & HTML 5; avoid in output for compatibility with IE.
- 'Aring' => 197,
- 'aring' => 229,
- 'asymp' => 8776,
- 'Atilde' => 195,
- 'atilde' => 227,
- 'Auml' => 196,
- 'auml' => 228,
- 'bdquo' => 8222,
- 'Beta' => 914,
- 'beta' => 946,
- 'brvbar' => 166,
- 'bull' => 8226,
- 'cap' => 8745,
- 'Ccedil' => 199,
- 'ccedil' => 231,
- 'cedil' => 184,
- 'cent' => 162,
- 'Chi' => 935,
- 'chi' => 967,
- 'circ' => 710,
- 'clubs' => 9827,
- 'cong' => 8773,
- 'copy' => 169,
- 'crarr' => 8629,
- 'cup' => 8746,
- 'curren' => 164,
- 'dagger' => 8224,
- 'Dagger' => 8225,
- 'darr' => 8595,
- 'dArr' => 8659,
- 'deg' => 176,
- 'Delta' => 916,
- 'delta' => 948,
- 'diams' => 9830,
- 'divide' => 247,
- 'Eacute' => 201,
- 'eacute' => 233,
- 'Ecirc' => 202,
- 'ecirc' => 234,
- 'Egrave' => 200,
- 'egrave' => 232,
- 'empty' => 8709,
- 'emsp' => 8195,
- 'ensp' => 8194,
- 'Epsilon' => 917,
- 'epsilon' => 949,
- 'equiv' => 8801,
- 'Eta' => 919,
- 'eta' => 951,
- 'ETH' => 208,
- 'eth' => 240,
- 'Euml' => 203,
- 'euml' => 235,
- 'euro' => 8364,
- 'exist' => 8707,
- 'fnof' => 402,
- 'forall' => 8704,
- 'frac12' => 189,
- 'frac14' => 188,
- 'frac34' => 190,
- 'frasl' => 8260,
- 'Gamma' => 915,
- 'gamma' => 947,
- 'ge' => 8805,
- 'gt' => 62,
- 'harr' => 8596,
- 'hArr' => 8660,
- 'hearts' => 9829,
- 'hellip' => 8230,
- 'Iacute' => 205,
- 'iacute' => 237,
- 'Icirc' => 206,
- 'icirc' => 238,
- 'iexcl' => 161,
- 'Igrave' => 204,
- 'igrave' => 236,
- 'image' => 8465,
- 'infin' => 8734,
- 'int' => 8747,
- 'Iota' => 921,
- 'iota' => 953,
- 'iquest' => 191,
- 'isin' => 8712,
- 'Iuml' => 207,
- 'iuml' => 239,
- 'Kappa' => 922,
- 'kappa' => 954,
- 'Lambda' => 923,
- 'lambda' => 955,
- 'lang' => 9001,
- 'laquo' => 171,
- 'larr' => 8592,
- 'lArr' => 8656,
- 'lceil' => 8968,
- 'ldquo' => 8220,
- 'le' => 8804,
- 'lfloor' => 8970,
- 'lowast' => 8727,
- 'loz' => 9674,
- 'lrm' => 8206,
- 'lsaquo' => 8249,
- 'lsquo' => 8216,
- 'lt' => 60,
- 'macr' => 175,
- 'mdash' => 8212,
- 'micro' => 181,
- 'middot' => 183,
- 'minus' => 8722,
- 'Mu' => 924,
- 'mu' => 956,
- 'nabla' => 8711,
- 'nbsp' => 160,
- 'ndash' => 8211,
- 'ne' => 8800,
- 'ni' => 8715,
- 'not' => 172,
- 'notin' => 8713,
- 'nsub' => 8836,
- 'Ntilde' => 209,
- 'ntilde' => 241,
- 'Nu' => 925,
- 'nu' => 957,
- 'Oacute' => 211,
- 'oacute' => 243,
- 'Ocirc' => 212,
- 'ocirc' => 244,
- 'OElig' => 338,
- 'oelig' => 339,
- 'Ograve' => 210,
- 'ograve' => 242,
- 'oline' => 8254,
- 'Omega' => 937,
- 'omega' => 969,
- 'Omicron' => 927,
- 'omicron' => 959,
- 'oplus' => 8853,
- 'or' => 8744,
- 'ordf' => 170,
- 'ordm' => 186,
- 'Oslash' => 216,
- 'oslash' => 248,
- 'Otilde' => 213,
- 'otilde' => 245,
- 'otimes' => 8855,
- 'Ouml' => 214,
- 'ouml' => 246,
- 'para' => 182,
- 'part' => 8706,
- 'permil' => 8240,
- 'perp' => 8869,
- 'Phi' => 934,
- 'phi' => 966,
- 'Pi' => 928,
- 'pi' => 960,
- 'piv' => 982,
- 'plusmn' => 177,
- 'pound' => 163,
- 'prime' => 8242,
- 'Prime' => 8243,
- 'prod' => 8719,
- 'prop' => 8733,
- 'Psi' => 936,
- 'psi' => 968,
- 'quot' => 34,
- 'radic' => 8730,
- 'rang' => 9002,
- 'raquo' => 187,
- 'rarr' => 8594,
- 'rArr' => 8658,
- 'rceil' => 8969,
- 'rdquo' => 8221,
- 'real' => 8476,
- 'reg' => 174,
- 'rfloor' => 8971,
- 'Rho' => 929,
- 'rho' => 961,
- 'rlm' => 8207,
- 'rsaquo' => 8250,
- 'rsquo' => 8217,
- 'sbquo' => 8218,
- 'Scaron' => 352,
- 'scaron' => 353,
- 'sdot' => 8901,
- 'sect' => 167,
- 'shy' => 173,
- 'Sigma' => 931,
- 'sigma' => 963,
- 'sigmaf' => 962,
- 'sim' => 8764,
- 'spades' => 9824,
- 'sub' => 8834,
- 'sube' => 8838,
- 'sum' => 8721,
- 'sup' => 8835,
- 'sup1' => 185,
- 'sup2' => 178,
- 'sup3' => 179,
- 'supe' => 8839,
- 'szlig' => 223,
- 'Tau' => 932,
- 'tau' => 964,
- 'there4' => 8756,
- 'Theta' => 920,
- 'theta' => 952,
- 'thetasym' => 977,
- 'thinsp' => 8201,
- 'THORN' => 222,
- 'thorn' => 254,
- 'tilde' => 732,
- 'times' => 215,
- 'trade' => 8482,
- 'Uacute' => 218,
- 'uacute' => 250,
- 'uarr' => 8593,
- 'uArr' => 8657,
- 'Ucirc' => 219,
- 'ucirc' => 251,
- 'Ugrave' => 217,
- 'ugrave' => 249,
- 'uml' => 168,
- 'upsih' => 978,
- 'Upsilon' => 933,
- 'upsilon' => 965,
- 'Uuml' => 220,
- 'uuml' => 252,
- 'weierp' => 8472,
- 'Xi' => 926,
- 'xi' => 958,
- 'Yacute' => 221,
- 'yacute' => 253,
- 'yen' => 165,
- 'Yuml' => 376,
- 'yuml' => 255,
- 'Zeta' => 918,
- 'zeta' => 950,
- 'zwj' => 8205,
- 'zwnj' => 8204
- ];
-
- /**
- * Character entity aliases accepted by MediaWiki
- */
- private static $htmlEntityAliases = [
- 'רלמ' => 'rlm',
- 'رلم' => 'rlm',
- ];
-
- /**
- * Lazy-initialised attributes regex, see getAttribsRegex()
- */
- private static $attribsRegex;
-
- /**
- * Regular expression to match HTML/XML attribute pairs within a tag.
- * Allows some... latitude. Based on,
- * https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
- * Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes
- * @return string
- */
- static function getAttribsRegex() {
- if ( self::$attribsRegex === null ) {
- $attribFirst = "[:_\p{L}\p{N}]";
- $attrib = "[:_\.\-\p{L}\p{N}]";
- $space = '[\x09\x0a\x0c\x0d\x20]';
- self::$attribsRegex =
- "/(?:^|$space)({$attribFirst}{$attrib}*)
- ($space*=$space*
- (?:
- # The attribute value: quoted or alone
- \"([^\"]*)(?:\"|\$)
- | '([^']*)(?:'|\$)
- | (((?!$space|>).)*)
- )
- )?(?=$space|\$)/sxu";
- }
- return self::$attribsRegex;
- }
-
- /**
- * Return the various lists of recognized tags
- * @param array $extratags For any extra tags to include
- * @param array $removetags For any tags (default or extra) to exclude
- * @return array
- */
- public static function getRecognizedTagData( $extratags = [], $removetags = [] ) {
- global $wgAllowImageTag;
-
- static $htmlpairsStatic, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
- $htmllist, $listtags, $htmlsingleallowed, $htmlelementsStatic, $staticInitialised;
-
- // Base our staticInitialised variable off of the global config state so that if the globals
- // are changed (like in the screwed up test system) we will re-initialise the settings.
- $globalContext = $wgAllowImageTag;
- if ( !$staticInitialised || $staticInitialised != $globalContext ) {
- $htmlpairsStatic = [ # Tags that must be closed
- 'b', 'bdi', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
- 'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
- 'strike', 'strong', 'tt', 'var', 'div', 'center',
- 'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
- 'ruby', 'rb', 'rp', 'rt', 'rtc', 'p', 'span', 'abbr', 'dfn',
- 'kbd', 'samp', 'data', 'time', 'mark'
- ];
- $htmlsingle = [
- 'br', 'wbr', 'hr', 'li', 'dt', 'dd', 'meta', 'link'
- ];
-
- # Elements that cannot have close tags. This is (not coincidentally)
- # also the list of tags for which the HTML 5 parsing algorithm
- # requires you to "acknowledge the token's self-closing flag", i.e.
- # a self-closing tag like <br/> is not an HTML 5 parse error only
- # for this list.
- $htmlsingleonly = [
- 'br', 'wbr', 'hr', 'meta', 'link'
- ];
-
- $htmlnest = [ # Tags that can be nested--??
- 'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
- 'li', 'dl', 'dt', 'dd', 'font', 'big', 'small', 'sub', 'sup', 'span',
- 'var', 'kbd', 'samp', 'em', 'strong', 'q', 'ruby', 'bdo'
- ];
- $tabletags = [ # Can only appear inside table, we will close them
- 'td', 'th', 'tr',
- ];
- $htmllist = [ # Tags used by list
- 'ul', 'ol',
- ];
- $listtags = [ # Tags that can appear in a list
- 'li',
- ];
-
- if ( $wgAllowImageTag ) {
- $htmlsingle[] = 'img';
- $htmlsingleonly[] = 'img';
- }
-
- $htmlsingleallowed = array_unique( array_merge( $htmlsingle, $tabletags ) );
- $htmlelementsStatic = array_unique( array_merge( $htmlsingle, $htmlpairsStatic, $htmlnest ) );
-
- # Convert them all to hashtables for faster lookup
- $vars = [ 'htmlpairsStatic', 'htmlsingle', 'htmlsingleonly', 'htmlnest', 'tabletags',
- 'htmllist', 'listtags', 'htmlsingleallowed', 'htmlelementsStatic' ];
- foreach ( $vars as $var ) {
- $$var = array_flip( $$var );
- }
- $staticInitialised = $globalContext;
- }
-
- # Populate $htmlpairs and $htmlelements with the $extratags and $removetags arrays
- $extratags = array_flip( $extratags );
- $removetags = array_flip( $removetags );
- $htmlpairs = array_merge( $extratags, $htmlpairsStatic );
- $htmlelements = array_diff_key( array_merge( $extratags, $htmlelementsStatic ), $removetags );
-
- return [
- 'htmlpairs' => $htmlpairs,
- 'htmlsingle' => $htmlsingle,
- 'htmlsingleonly' => $htmlsingleonly,
- 'htmlnest' => $htmlnest,
- 'tabletags' => $tabletags,
- 'htmllist' => $htmllist,
- 'listtags' => $listtags,
- 'htmlsingleallowed' => $htmlsingleallowed,
- 'htmlelements' => $htmlelements,
- ];
- }
-
- /**
- * Cleans up HTML, removes dangerous tags and attributes, and
- * removes HTML comments
- * @param string $text
- * @param callable $processCallback Callback to do any variable or parameter
- * replacements in HTML attribute values
- * @param array|bool $args Arguments for the processing callback
- * @param array $extratags For any extra tags to include
- * @param array $removetags For any tags (default or extra) to exclude
- * @param callable $warnCallback (Deprecated) Callback allowing the
- * addition of a tracking category when bad input is encountered.
- * DO NOT ADD NEW PARAMETERS AFTER $warnCallback, since it will be
- * removed shortly.
- * @return string
- */
- public static function removeHTMLtags( $text, $processCallback = null,
- $args = [], $extratags = [], $removetags = [], $warnCallback = null
- ) {
- extract( self::getRecognizedTagData( $extratags, $removetags ) );
-
- # Remove HTML comments
- $text = self::removeHTMLcomments( $text );
- $bits = explode( '<', $text );
- $text = str_replace( '>', '>', array_shift( $bits ) );
- if ( !MWTidy::isEnabled() ) {
- $tagstack = $tablestack = [];
- foreach ( $bits as $x ) {
- $regs = [];
- # $slash: Does the current element start with a '/'?
- # $t: Current element name
- # $params: String between element name and >
- # $brace: Ending '>' or '/>'
- # $rest: Everything until the next element of $bits
- if ( preg_match( self::ELEMENT_BITS_REGEX, $x, $regs ) ) {
- list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
- } else {
- $slash = $t = $params = $brace = $rest = null;
- }
-
- $badtag = false;
- $t = strtolower( $t );
- if ( isset( $htmlelements[$t] ) ) {
- # Check our stack
- if ( $slash && isset( $htmlsingleonly[$t] ) ) {
- $badtag = true;
- } elseif ( $slash ) {
- # Closing a tag... is it the one we just opened?
- MediaWiki\suppressWarnings();
- $ot = array_pop( $tagstack );
- MediaWiki\restoreWarnings();
-
- if ( $ot != $t ) {
- if ( isset( $htmlsingleallowed[$ot] ) ) {
- # Pop all elements with an optional close tag
- # and see if we find a match below them
- $optstack = [];
- array_push( $optstack, $ot );
- MediaWiki\suppressWarnings();
- $ot = array_pop( $tagstack );
- MediaWiki\restoreWarnings();
- while ( $ot != $t && isset( $htmlsingleallowed[$ot] ) ) {
- array_push( $optstack, $ot );
- MediaWiki\suppressWarnings();
- $ot = array_pop( $tagstack );
- MediaWiki\restoreWarnings();
- }
- if ( $t != $ot ) {
- # No match. Push the optional elements back again
- $badtag = true;
- MediaWiki\suppressWarnings();
- $ot = array_pop( $optstack );
- MediaWiki\restoreWarnings();
- while ( $ot ) {
- array_push( $tagstack, $ot );
- MediaWiki\suppressWarnings();
- $ot = array_pop( $optstack );
- MediaWiki\restoreWarnings();
- }
- }
- } else {
- MediaWiki\suppressWarnings();
- array_push( $tagstack, $ot );
- MediaWiki\restoreWarnings();
-
- # <li> can be nested in <ul> or <ol>, skip those cases:
- if ( !isset( $htmllist[$ot] ) || !isset( $listtags[$t] ) ) {
- $badtag = true;
- }
- }
- } else {
- if ( $t == 'table' ) {
- $tagstack = array_pop( $tablestack );
- }
- }
- $newparams = '';
- } else {
- # Keep track for later
- if ( isset( $tabletags[$t] ) && !in_array( 'table', $tagstack ) ) {
- $badtag = true;
- } elseif ( in_array( $t, $tagstack ) && !isset( $htmlnest[$t] ) ) {
- $badtag = true;
- # Is it a self closed htmlpair ? (T7487)
- } elseif ( $brace == '/>' && isset( $htmlpairs[$t] ) ) {
- // Eventually we'll just remove the self-closing
- // slash, in order to be consistent with HTML5
- // semantics.
- // $brace = '>';
- // For now, let's just warn authors to clean up.
- if ( is_callable( $warnCallback ) ) {
- call_user_func_array( $warnCallback, [ 'deprecated-self-close-category' ] );
- }
- $badtag = true;
- } elseif ( isset( $htmlsingleonly[$t] ) ) {
- # Hack to force empty tag for unclosable elements
- $brace = '/>';
- } elseif ( isset( $htmlsingle[$t] ) ) {
- # Hack to not close $htmlsingle tags
- $brace = null;
- # Still need to push this optionally-closed tag to
- # the tag stack so that we can match end tags
- # instead of marking them as bad.
- array_push( $tagstack, $t );
- } elseif ( isset( $tabletags[$t] ) && in_array( $t, $tagstack ) ) {
- // New table tag but forgot to close the previous one
- $text .= "</$t>";
- } else {
- if ( $t == 'table' ) {
- array_push( $tablestack, $tagstack );
- $tagstack = [];
- }
- array_push( $tagstack, $t );
- }
-
- # Replace any variables or template parameters with
- # plaintext results.
- if ( is_callable( $processCallback ) ) {
- call_user_func_array( $processCallback, [ &$params, $args ] );
- }
-
- if ( !self::validateTag( $params, $t ) ) {
- $badtag = true;
- }
-
- # Strip non-approved attributes from the tag
- $newparams = self::fixTagAttributes( $params, $t );
- }
- if ( !$badtag ) {
- $rest = str_replace( '>', '>', $rest );
- $close = ( $brace == '/>' && !$slash ) ? ' /' : '';
- $text .= "<$slash$t$newparams$close>$rest";
- continue;
- }
- }
- $text .= '<' . str_replace( '>', '>', $x );
- }
- # Close off any remaining tags
- while ( is_array( $tagstack ) && ( $t = array_pop( $tagstack ) ) ) {
- $text .= "</$t>\n";
- if ( $t == 'table' ) {
- $tagstack = array_pop( $tablestack );
- }
- }
- } else {
- # this might be possible using tidy itself
- foreach ( $bits as $x ) {
- if ( preg_match( self::ELEMENT_BITS_REGEX, $x, $regs ) ) {
- list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
-
- $badtag = false;
- $t = strtolower( $t );
- if ( isset( $htmlelements[$t] ) ) {
- if ( is_callable( $processCallback ) ) {
- call_user_func_array( $processCallback, [ &$params, $args ] );
- }
-
- if ( $brace == '/>' && !( isset( $htmlsingle[$t] ) || isset( $htmlsingleonly[$t] ) ) ) {
- // Eventually we'll just remove the self-closing
- // slash, in order to be consistent with HTML5
- // semantics.
- // $brace = '>';
- // For now, let's just warn authors to clean up.
- if ( is_callable( $warnCallback ) ) {
- call_user_func_array( $warnCallback, [ 'deprecated-self-close-category' ] );
- }
- }
- if ( !self::validateTag( $params, $t ) ) {
- $badtag = true;
- }
-
- $newparams = self::fixTagAttributes( $params, $t );
- if ( !$badtag ) {
- if ( $brace === '/>' && !isset( $htmlsingleonly[$t] ) ) {
- # Interpret self-closing tags as empty tags even when
- # HTML 5 would interpret them as start tags. Such input
- # is commonly seen on Wikimedia wikis with this intention.
- $brace = "></$t>";
- }
-
- $rest = str_replace( '>', '>', $rest );
- $text .= "<$slash$t$newparams$brace$rest";
- continue;
- }
- }
- }
- $text .= '<' . str_replace( '>', '>', $x );
- }
- }
- return $text;
- }
-
- /**
- * Remove '<!--', '-->', and everything between.
- * To avoid leaving blank lines, when a comment is both preceded
- * and followed by a newline (ignoring spaces), trim leading and
- * trailing spaces and one of the newlines.
- *
- * @param string $text
- * @return string
- */
- public static function removeHTMLcomments( $text ) {
- while ( ( $start = strpos( $text, '<!--' ) ) !== false ) {
- $end = strpos( $text, '-->', $start + 4 );
- if ( $end === false ) {
- # Unterminated comment; bail out
- break;
- }
-
- $end += 3;
-
- # Trim space and newline if the comment is both
- # preceded and followed by a newline
- $spaceStart = max( $start - 1, 0 );
- $spaceLen = $end - $spaceStart;
- while ( substr( $text, $spaceStart, 1 ) === ' ' && $spaceStart > 0 ) {
- $spaceStart--;
- $spaceLen++;
- }
- while ( substr( $text, $spaceStart + $spaceLen, 1 ) === ' ' ) {
- $spaceLen++;
- }
- if ( substr( $text, $spaceStart, 1 ) === "\n"
- && substr( $text, $spaceStart + $spaceLen, 1 ) === "\n" ) {
- # Remove the comment, leading and trailing
- # spaces, and leave only one newline.
- $text = substr_replace( $text, "\n", $spaceStart, $spaceLen + 1 );
- } else {
- # Remove just the comment.
- $text = substr_replace( $text, '', $start, $end - $start );
- }
- }
- return $text;
- }
-
- /**
- * Takes attribute names and values for a tag and the tag name and
- * validates that the tag is allowed to be present.
- * This DOES NOT validate the attributes, nor does it validate the
- * tags themselves. This method only handles the special circumstances
- * where we may want to allow a tag within content but ONLY when it has
- * specific attributes set.
- *
- * @param string $params
- * @param string $element
- * @return bool
- */
- static function validateTag( $params, $element ) {
- $params = self::decodeTagAttributes( $params );
-
- if ( $element == 'meta' || $element == 'link' ) {
- if ( !isset( $params['itemprop'] ) ) {
- // <meta> and <link> must have an itemprop="" otherwise they are not valid or safe in content
- return false;
- }
- if ( $element == 'meta' && !isset( $params['content'] ) ) {
- // <meta> must have a content="" for the itemprop
- return false;
- }
- if ( $element == 'link' && !isset( $params['href'] ) ) {
- // <link> must have an associated href=""
- return false;
- }
- }
-
- return true;
- }
-
- /**
- * Take an array of attribute names and values and normalize or discard
- * illegal values for the given element type.
- *
- * - Discards attributes not on a whitelist for the given element
- * - Unsafe style attributes are discarded
- * - Invalid id attributes are re-encoded
- *
- * @param array $attribs
- * @param string $element
- * @return array
- *
- * @todo Check for legal values where the DTD limits things.
- * @todo Check for unique id attribute :P
- */
- static function validateTagAttributes( $attribs, $element ) {
- return self::validateAttributes( $attribs,
- self::attributeWhitelist( $element ) );
- }
-
- /**
- * Take an array of attribute names and values and normalize or discard
- * illegal values for the given whitelist.
- *
- * - Discards attributes not on the given whitelist
- * - Unsafe style attributes are discarded
- * - Invalid id attributes are re-encoded
- *
- * @param array $attribs
- * @param array $whitelist List of allowed attribute names
- * @return array
- *
- * @todo Check for legal values where the DTD limits things.
- * @todo Check for unique id attribute :P
- */
- static function validateAttributes( $attribs, $whitelist ) {
- $whitelist = array_flip( $whitelist );
- $hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
-
- $out = [];
- foreach ( $attribs as $attribute => $value ) {
- # Allow XML namespace declaration to allow RDFa
- if ( preg_match( self::XMLNS_ATTRIBUTE_PATTERN, $attribute ) ) {
- if ( !preg_match( self::EVIL_URI_PATTERN, $value ) ) {
- $out[$attribute] = $value;
- }
-
- continue;
- }
-
- # Allow any attribute beginning with "data-"
- # However:
- # * Disallow data attributes used by MediaWiki code
- # * Ensure that the attribute is not namespaced by banning
- # colons.
- if ( !preg_match( '/^data-[^:]*$/i', $attribute )
- && !isset( $whitelist[$attribute] )
- || self::isReservedDataAttribute( $attribute )
- ) {
- continue;
- }
-
- # Strip javascript "expression" from stylesheets.
- # https://msdn.microsoft.com/en-us/library/ms537634.aspx
- if ( $attribute == 'style' ) {
- $value = self::checkCss( $value );
- }
-
- # Escape HTML id attributes
- if ( $attribute === 'id' ) {
- $value = self::escapeIdForAttribute( $value, self::ID_PRIMARY );
- }
-
- # Escape HTML id reference lists
- if ( $attribute === 'aria-describedby'
- || $attribute === 'aria-flowto'
- || $attribute === 'aria-labelledby'
- || $attribute === 'aria-owns'
- ) {
- $value = self::escapeIdReferenceList( $value );
- }
-
- // RDFa and microdata properties allow URLs, URIs and/or CURIs.
- // Check them for sanity.
- if ( $attribute === 'rel' || $attribute === 'rev'
- # RDFa
- || $attribute === 'about' || $attribute === 'property'
- || $attribute === 'resource' || $attribute === 'datatype'
- || $attribute === 'typeof'
- # HTML5 microdata
- || $attribute === 'itemid' || $attribute === 'itemprop'
- || $attribute === 'itemref' || $attribute === 'itemscope'
- || $attribute === 'itemtype'
- ) {
- // Paranoia. Allow "simple" values but suppress javascript
- if ( preg_match( self::EVIL_URI_PATTERN, $value ) ) {
- continue;
- }
- }
-
- # NOTE: even though elements using href/src are not allowed directly, supply
- # validation code that can be used by tag hook handlers, etc
- if ( $attribute === 'href' || $attribute === 'src' || $attribute === 'poster' ) {
- if ( !preg_match( $hrefExp, $value ) ) {
- continue; // drop any href or src attributes not using an allowed protocol.
- // NOTE: this also drops all relative URLs
- }
- }
-
- // If this attribute was previously set, override it.
- // Output should only have one attribute of each name.
- $out[$attribute] = $value;
- }
-
- # itemtype, itemid, itemref don't make sense without itemscope
- if ( !array_key_exists( 'itemscope', $out ) ) {
- unset( $out['itemtype'] );
- unset( $out['itemid'] );
- unset( $out['itemref'] );
- }
- # TODO: Strip itemprop if we aren't descendants of an itemscope or pointed to by an itemref.
-
- return $out;
- }
-
- /**
- * Given an attribute name, checks whether it is a reserved data attribute
- * (such as data-mw-foo) which is unavailable to user-generated HTML so MediaWiki
- * core and extension code can safely use it to communicate with frontend code.
- * @param string $attr Attribute name.
- * @return bool
- */
- public static function isReservedDataAttribute( $attr ) {
- // data-ooui is reserved for ooui.
- // data-mw and data-parsoid are reserved for parsoid.
- // data-mw-<name here> is reserved for extensions (or core) if
- // they need to communicate some data to the client and want to be
- // sure that it isn't coming from an untrusted user.
- // We ignore the possibility of namespaces since user-generated HTML
- // can't use them anymore.
- return (bool)preg_match( '/^data-(ooui|mw|parsoid)/i', $attr );
- }
-
- /**
- * Merge two sets of HTML attributes. Conflicting items in the second set
- * will override those in the first, except for 'class' attributes which
- * will be combined (if they're both strings).
- *
- * @todo implement merging for other attributes such as style
- * @param array $a
- * @param array $b
- * @return array
- */
- static function mergeAttributes( $a, $b ) {
- $out = array_merge( $a, $b );
- if ( isset( $a['class'] ) && isset( $b['class'] )
- && is_string( $a['class'] ) && is_string( $b['class'] )
- && $a['class'] !== $b['class']
- ) {
- $classes = preg_split( '/\s+/', "{$a['class']} {$b['class']}",
- -1, PREG_SPLIT_NO_EMPTY );
- $out['class'] = implode( ' ', array_unique( $classes ) );
- }
- return $out;
- }
-
- /**
- * Normalize CSS into a format we can easily search for hostile input
- * - decode character references
- * - decode escape sequences
- * - convert characters that IE6 interprets into ascii
- * - remove comments, unless the entire value is one single comment
- * @param string $value the css string
- * @return string normalized css
- */
- public static function normalizeCss( $value ) {
- // Decode character references like {
- $value = self::decodeCharReferences( $value );
-
- // Decode escape sequences and line continuation
- // See the grammar in the CSS 2 spec, appendix D.
- // This has to be done AFTER decoding character references.
- // This means it isn't possible for this function to return
- // unsanitized escape sequences. It is possible to manufacture
- // input that contains character references that decode to
- // escape sequences that decode to character references, but
- // it's OK for the return value to contain character references
- // because the caller is supposed to escape those anyway.
- static $decodeRegex;
- if ( !$decodeRegex ) {
- $space = '[\\x20\\t\\r\\n\\f]';
- $nl = '(?:\\n|\\r\\n|\\r|\\f)';
- $backslash = '\\\\';
- $decodeRegex = "/ $backslash
- (?:
- ($nl) | # 1. Line continuation
- ([0-9A-Fa-f]{1,6})$space? | # 2. character number
- (.) | # 3. backslash cancelling special meaning
- () | # 4. backslash at end of string
- )/xu";
- }
- $value = preg_replace_callback( $decodeRegex,
- [ __CLASS__, 'cssDecodeCallback' ], $value );
-
- // Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
- $value = preg_replace_callback(
- '/[!-[]-z]/u', // U+FF01 to U+FF5A, excluding U+FF3C (T60088)
- function ( $matches ) {
- $cp = UtfNormal\Utils::utf8ToCodepoint( $matches[0] );
- if ( $cp === false ) {
- return '';
- }
- return chr( $cp - 65248 ); // ASCII range \x21-\x7A
- },
- $value
- );
-
- // Convert more characters IE6 might treat as ascii
- // U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D
- $value = str_replace(
- [ 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ],
- [ 'r', 'n', 'n', 'l', 'i', '(', '(' ],
- $value
- );
-
- // Let the value through if it's nothing but a single comment, to
- // allow other functions which may reject it to pass some error
- // message through.
- if ( !preg_match( '! ^ \s* /\* [^*\\/]* \*/ \s* $ !x', $value ) ) {
- // Remove any comments; IE gets token splitting wrong
- // This must be done AFTER decoding character references and
- // escape sequences, because those steps can introduce comments
- // This step cannot introduce character references or escape
- // sequences, because it replaces comments with spaces rather
- // than removing them completely.
- $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
-
- // Remove anything after a comment-start token, to guard against
- // incorrect client implementations.
- $commentPos = strpos( $value, '/*' );
- if ( $commentPos !== false ) {
- $value = substr( $value, 0, $commentPos );
- }
- }
-
- // S followed by repeat, iteration, or prolonged sound marks,
- // which IE will treat as "ss"
- $value = preg_replace(
- '/s(?:
- \xE3\x80\xB1 | # U+3031
- \xE3\x82\x9D | # U+309D
- \xE3\x83\xBC | # U+30FC
- \xE3\x83\xBD | # U+30FD
- \xEF\xB9\xBC | # U+FE7C
- \xEF\xB9\xBD | # U+FE7D
- \xEF\xBD\xB0 # U+FF70
- )/ix',
- 'ss',
- $value
- );
-
- return $value;
- }
-
- /**
- * Pick apart some CSS and check it for forbidden or unsafe structures.
- * Returns a sanitized string. This sanitized string will have
- * character references and escape sequences decoded and comments
- * stripped (unless it is itself one valid comment, in which case the value
- * will be passed through). If the input is just too evil, only a comment
- * complaining about evilness will be returned.
- *
- * Currently URL references, 'expression', 'tps' are forbidden.
- *
- * NOTE: Despite the fact that character references are decoded, the
- * returned string may contain character references given certain
- * clever input strings. These character references must
- * be escaped before the return value is embedded in HTML.
- *
- * @param string $value
- * @return string
- */
- static function checkCss( $value ) {
- $value = self::normalizeCss( $value );
-
- // Reject problematic keywords and control characters
- if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ||
- strpos( $value, UtfNormal\Constants::UTF8_REPLACEMENT ) !== false ) {
- return '/* invalid control char */';
- } elseif ( preg_match(
- '! expression
- | filter\s*:
- | accelerator\s*:
- | -o-link\s*:
- | -o-link-source\s*:
- | -o-replace\s*:
- | url\s*\(
- | image\s*\(
- | image-set\s*\(
- | attr\s*\([^)]+[\s,]+url
- !ix', $value ) ) {
- return '/* insecure input */';
- }
- return $value;
- }
-
- /**
- * @param array $matches
- * @return string
- */
- static function cssDecodeCallback( $matches ) {
- if ( $matches[1] !== '' ) {
- // Line continuation
- return '';
- } elseif ( $matches[2] !== '' ) {
- $char = UtfNormal\Utils::codepointToUtf8( hexdec( $matches[2] ) );
- } elseif ( $matches[3] !== '' ) {
- $char = $matches[3];
- } else {
- $char = '\\';
- }
- if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) {
- // These characters need to be escaped in strings
- // Clean up the escape sequence to avoid parsing errors by clients
- return '\\' . dechex( ord( $char ) ) . ' ';
- } else {
- // Decode unnecessary escape
- return $char;
- }
- }
-
- /**
- * Take a tag soup fragment listing an HTML element's attributes
- * and normalize it to well-formed XML, discarding unwanted attributes.
- * Output is safe for further wikitext processing, with escaping of
- * values that could trigger problems.
- *
- * - Normalizes attribute names to lowercase
- * - Discards attributes not on a whitelist for the given element
- * - Turns broken or invalid entities into plaintext
- * - Double-quotes all attribute values
- * - Attributes without values are given the name as attribute
- * - Double attributes are discarded
- * - Unsafe style attributes are discarded
- * - Prepends space if there are attributes.
- * - (Optionally) Sorts attributes by name.
- *
- * @param string $text
- * @param string $element
- * @param bool $sorted Whether to sort the attributes (default: false)
- * @return string
- */
- static function fixTagAttributes( $text, $element, $sorted = false ) {
- if ( trim( $text ) == '' ) {
- return '';
- }
-
- $decoded = self::decodeTagAttributes( $text );
- $stripped = self::validateTagAttributes( $decoded, $element );
-
- if ( $sorted ) {
- ksort( $stripped );
- }
-
- return self::safeEncodeTagAttributes( $stripped );
- }
-
- /**
- * Encode an attribute value for HTML output.
- * @param string $text
- * @return string HTML-encoded text fragment
- */
- static function encodeAttribute( $text ) {
- $encValue = htmlspecialchars( $text, ENT_QUOTES );
-
- // Whitespace is normalized during attribute decoding,
- // so if we've been passed non-spaces we must encode them
- // ahead of time or they won't be preserved.
- $encValue = strtr( $encValue, [
- "\n" => ' ',
- "\r" => ' ',
- "\t" => '	',
- ] );
-
- return $encValue;
- }
-
- /**
- * Encode an attribute value for HTML tags, with extra armoring
- * against further wiki processing.
- * @param string $text
- * @return string HTML-encoded text fragment
- */
- static function safeEncodeAttribute( $text ) {
- $encValue = self::encodeAttribute( $text );
-
- # Templates and links may be expanded in later parsing,
- # creating invalid or dangerous output. Suppress this.
- $encValue = strtr( $encValue, [
- '<' => '<', // This should never happen,
- '>' => '>', // we've received invalid input
- '"' => '"', // which should have been escaped.
- '{' => '{',
- '}' => '}', // prevent unpaired language conversion syntax
- '[' => '[',
- "''" => '''',
- 'ISBN' => 'ISBN',
- 'RFC' => 'RFC',
- 'PMID' => 'PMID',
- '|' => '|',
- '__' => '__',
- ] );
-
- # Stupid hack
- $encValue = preg_replace_callback(
- '/((?i)' . wfUrlProtocols() . ')/',
- [ 'Sanitizer', 'armorLinksCallback' ],
- $encValue );
- return $encValue;
- }
-
- /**
- * Given a value, escape it so that it can be used in an id attribute and
- * return it. This will use HTML5 validation if $wgExperimentalHtmlIds is
- * true, allowing anything but ASCII whitespace. Otherwise it will use
- * HTML 4 rules, which means a narrow subset of ASCII, with bad characters
- * escaped with lots of dots.
- *
- * To ensure we don't have to bother escaping anything, we also strip ', ",
- * & even if $wgExperimentalIds is true. TODO: Is this the best tactic?
- * We also strip # because it upsets IE, and % because it could be
- * ambiguous if it's part of something that looks like a percent escape
- * (which don't work reliably in fragments cross-browser).
- *
- * @deprecated since 1.30, use one of this class' escapeIdFor*() functions
- *
- * @see https://www.w3.org/TR/html401/types.html#type-name Valid characters
- * in the id and name attributes
- * @see https://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with
- * the id attribute
- * @see https://www.w3.org/TR/html5/dom.html#the-id-attribute
- * HTML5 definition of id attribute
- *
- * @param string $id Id to escape
- * @param string|array $options String or array of strings (default is array()):
- * 'noninitial': This is a non-initial fragment of an id, not a full id,
- * so don't pay attention if the first character isn't valid at the
- * beginning of an id. Only matters if $wgExperimentalHtmlIds is
- * false.
- * 'legacy': Behave the way the old HTML 4-based ID escaping worked even
- * if $wgExperimentalHtmlIds is used, so we can generate extra
- * anchors and links won't break.
- * @return string
- */
- static function escapeId( $id, $options = [] ) {
- global $wgExperimentalHtmlIds;
- $options = (array)$options;
-
- if ( $wgExperimentalHtmlIds && !in_array( 'legacy', $options ) ) {
- $id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id );
- $id = trim( $id, '_' );
- if ( $id === '' ) {
- // Must have been all whitespace to start with.
- return '_';
- } else {
- return $id;
- }
- }
-
- // HTML4-style escaping
- static $replace = [
- '%3A' => ':',
- '%' => '.'
- ];
-
- $id = urlencode( strtr( $id, ' ', '_' ) );
- $id = strtr( $id, $replace );
-
- if ( !preg_match( '/^[a-zA-Z]/', $id ) && !in_array( 'noninitial', $options ) ) {
- // Initial character must be a letter!
- $id = "x$id";
- }
- return $id;
- }
-
- /**
- * Given a section name or other user-generated or otherwise unsafe string, escapes it to be
- * a valid HTML id attribute.
- *
- * WARNING: unlike escapeId(), the output of this function is not guaranteed to be HTML safe,
- * be sure to use proper escaping.
- *
- * @param string $id String to escape
- * @param int $mode One of ID_* constants, specifying whether the primary or fallback encoding
- * should be used.
- * @return string|bool Escaped ID or false if fallback encoding is requested but it's not
- * configured.
- *
- * @since 1.30
- */
- public static function escapeIdForAttribute( $id, $mode = self::ID_PRIMARY ) {
- global $wgFragmentMode;
-
- if ( !isset( $wgFragmentMode[$mode] ) ) {
- if ( $mode === self::ID_PRIMARY ) {
- throw new UnexpectedValueException( '$wgFragmentMode is configured with no primary mode' );
- }
- return false;
- }
-
- $internalMode = $wgFragmentMode[$mode];
-
- return self::escapeIdInternal( $id, $internalMode );
- }
-
- /**
- * Given a section name or other user-generated or otherwise unsafe string, escapes it to be
- * a valid URL fragment.
- *
- * WARNING: unlike escapeId(), the output of this function is not guaranteed to be HTML safe,
- * be sure to use proper escaping.
- *
- * @param string $id String to escape
- * @return string Escaped ID
- *
- * @since 1.30
- */
- public static function escapeIdForLink( $id ) {
- global $wgFragmentMode;
-
- if ( !isset( $wgFragmentMode[self::ID_PRIMARY] ) ) {
- throw new UnexpectedValueException( '$wgFragmentMode is configured with no primary mode' );
- }
-
- $mode = $wgFragmentMode[self::ID_PRIMARY];
-
- $id = self::escapeIdInternal( $id, $mode );
-
- return $id;
- }
-
- /**
- * Given a section name or other user-generated or otherwise unsafe string, escapes it to be
- * a valid URL fragment for external interwikis.
- *
- * @param string $id String to escape
- * @return string Escaped ID
- *
- * @since 1.30
- */
- public static function escapeIdForExternalInterwiki( $id ) {
- global $wgExternalInterwikiFragmentMode;
-
- $id = self::escapeIdInternal( $id, $wgExternalInterwikiFragmentMode );
-
- return $id;
- }
-
- /**
- * Helper for escapeIdFor*() functions. Performs most of the actual escaping.
- *
- * @param string $id String to escape
- * @param string $mode One of modes from $wgFragmentMode
- * @return string
- */
- private static function escapeIdInternal( $id, $mode ) {
- switch ( $mode ) {
- case 'html5':
- $id = str_replace( ' ', '_', $id );
- break;
- case 'legacy':
- // This corresponds to 'noninitial' mode of the old escapeId()
- static $replace = [
- '%3A' => ':',
- '%' => '.'
- ];
-
- $id = urlencode( str_replace( ' ', '_', $id ) );
- $id = strtr( $id, $replace );
- break;
- case 'html5-legacy':
- $id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id );
- $id = trim( $id, '_' );
- if ( $id === '' ) {
- // Must have been all whitespace to start with.
- $id = '_';
- }
- break;
- default:
- throw new InvalidArgumentException( "Invalid mode '$mode' passed to '" . __METHOD__ );
- }
-
- return $id;
- }
-
- /**
- * Given a string containing a space delimited list of ids, escape each id
- * to match ids escaped by the escapeId() function.
- *
- * @todo remove $options completely in 1.32
- *
- * @since 1.27
- *
- * @param string $referenceString Space delimited list of ids
- * @param string|array $options Deprecated and does nothing.
- * @return string
- */
- static function escapeIdReferenceList( $referenceString, $options = [] ) {
- if ( $options ) {
- wfDeprecated( __METHOD__ . ' with $options', '1.31' );
- }
- # Explode the space delimited list string into an array of tokens
- $references = preg_split( '/\s+/', "{$referenceString}", -1, PREG_SPLIT_NO_EMPTY );
-
- # Escape each token as an id
- foreach ( $references as &$ref ) {
- $ref = self::escapeIdForAttribute( $ref );
- }
-
- # Merge the array back to a space delimited list string
- # If the array is empty, the result will be an empty string ('')
- $referenceString = implode( ' ', $references );
-
- return $referenceString;
- }
-
- /**
- * Given a value, escape it so that it can be used as a CSS class and
- * return it.
- *
- * @todo For extra validity, input should be validated UTF-8.
- *
- * @see https://www.w3.org/TR/CSS21/syndata.html Valid characters/format
- *
- * @param string $class
- * @return string
- */
- static function escapeClass( $class ) {
- // Convert ugly stuff to underscores and kill underscores in ugly places
- return rtrim( preg_replace(
- [ '/(^[0-9\\-])|[\\x00-\\x20!"#$%&\'()*+,.\\/:;<=>?@[\\]^`{|}~]|\\xC2\\xA0/', '/_+/' ],
- '_',
- $class ), '_' );
- }
-
- /**
- * Given HTML input, escape with htmlspecialchars but un-escape entities.
- * This allows (generally harmless) entities like   to survive.
- *
- * @param string $html HTML to escape
- * @return string Escaped input
- */
- static function escapeHtmlAllowEntities( $html ) {
- $html = self::decodeCharReferences( $html );
- # It seems wise to escape ' as well as ", as a matter of course. Can't
- # hurt. Use ENT_SUBSTITUTE so that incorrectly truncated multibyte characters
- # don't cause the entire string to disappear.
- $html = htmlspecialchars( $html, ENT_QUOTES | ENT_SUBSTITUTE );
- return $html;
- }
-
- /**
- * Regex replace callback for armoring links against further processing.
- * @param array $matches
- * @return string
- */
- private static function armorLinksCallback( $matches ) {
- return str_replace( ':', ':', $matches[1] );
- }
-
- /**
- * Return an associative array of attribute names and values from
- * a partial tag string. Attribute names are forced to lowercase,
- * character references are decoded to UTF-8 text.
- *
- * @param string $text
- * @return array
- */
- public static function decodeTagAttributes( $text ) {
- if ( trim( $text ) == '' ) {
- return [];
- }
-
- $attribs = [];
- $pairs = [];
- if ( !preg_match_all(
- self::getAttribsRegex(),
- $text,
- $pairs,
- PREG_SET_ORDER ) ) {
- return $attribs;
- }
-
- foreach ( $pairs as $set ) {
- $attribute = strtolower( $set[1] );
- $value = self::getTagAttributeCallback( $set );
-
- // Normalize whitespace
- $value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
- $value = trim( $value );
-
- // Decode character references
- $attribs[$attribute] = self::decodeCharReferences( $value );
- }
- return $attribs;
- }
-
- /**
- * Build a partial tag string from an associative array of attribute
- * names and values as returned by decodeTagAttributes.
- *
- * @param array $assoc_array
- * @return string
- */
- public static function safeEncodeTagAttributes( $assoc_array ) {
- $attribs = [];
- foreach ( $assoc_array as $attribute => $value ) {
- $encAttribute = htmlspecialchars( $attribute );
- $encValue = self::safeEncodeAttribute( $value );
-
- $attribs[] = "$encAttribute=\"$encValue\"";
- }
- return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
- }
-
- /**
- * Pick the appropriate attribute value from a match set from the
- * attribs regex matches.
- *
- * @param array $set
- * @throws MWException When tag conditions are not met.
- * @return string
- */
- private static function getTagAttributeCallback( $set ) {
- if ( isset( $set[5] ) ) {
- # No quotes.
- return $set[5];
- } elseif ( isset( $set[4] ) ) {
- # Single-quoted
- return $set[4];
- } elseif ( isset( $set[3] ) ) {
- # Double-quoted
- return $set[3];
- } elseif ( !isset( $set[2] ) ) {
- # In XHTML, attributes must have a value so return an empty string.
- # See "Empty attribute syntax",
- # https://www.w3.org/TR/html5/syntax.html#syntax-attribute-name
- return "";
- } else {
- throw new MWException( "Tag conditions not met. This should never happen and is a bug." );
- }
- }
-
- /**
- * @param string $text
- * @return string
- */
- private static function normalizeWhitespace( $text ) {
- return preg_replace(
- '/\r\n|[\x20\x0d\x0a\x09]/',
- ' ',
- $text );
- }
-
- /**
- * Normalizes whitespace in a section name, such as might be returned
- * by Parser::stripSectionName(), for use in the id's that are used for
- * section links.
- *
- * @param string $section
- * @return string
- */
- static function normalizeSectionNameWhitespace( $section ) {
- return trim( preg_replace( '/[ _]+/', ' ', $section ) );
- }
-
- /**
- * Ensure that any entities and character references are legal
- * for XML and XHTML specifically. Any stray bits will be
- * &-escaped to result in a valid text fragment.
- *
- * a. named char refs can only be < > & ", others are
- * numericized (this way we're well-formed even without a DTD)
- * b. any numeric char refs must be legal chars, not invalid or forbidden
- * c. use lower cased "&#x", not "&#X"
- * d. fix or reject non-valid attributes
- *
- * @param string $text
- * @return string
- * @private
- */
- static function normalizeCharReferences( $text ) {
- return preg_replace_callback(
- self::CHAR_REFS_REGEX,
- [ 'Sanitizer', 'normalizeCharReferencesCallback' ],
- $text );
- }
-
- /**
- * @param string $matches
- * @return string
- */
- static function normalizeCharReferencesCallback( $matches ) {
- $ret = null;
- if ( $matches[1] != '' ) {
- $ret = self::normalizeEntity( $matches[1] );
- } elseif ( $matches[2] != '' ) {
- $ret = self::decCharReference( $matches[2] );
- } elseif ( $matches[3] != '' ) {
- $ret = self::hexCharReference( $matches[3] );
- }
- if ( is_null( $ret ) ) {
- return htmlspecialchars( $matches[0] );
- } else {
- return $ret;
- }
- }
-
- /**
- * If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD,
- * return the equivalent numeric entity reference (except for the core <
- * > & "). If the entity is a MediaWiki-specific alias, returns
- * the HTML equivalent. Otherwise, returns HTML-escaped text of
- * pseudo-entity source (eg &foo;)
- *
- * @param string $name
- * @return string
- */
- static function normalizeEntity( $name ) {
- if ( isset( self::$htmlEntityAliases[$name] ) ) {
- return '&' . self::$htmlEntityAliases[$name] . ';';
- } elseif ( in_array( $name, [ 'lt', 'gt', 'amp', 'quot' ] ) ) {
- return "&$name;";
- } elseif ( isset( self::$htmlEntities[$name] ) ) {
- return '&#' . self::$htmlEntities[$name] . ';';
- } else {
- return "&$name;";
- }
- }
-
- /**
- * @param int $codepoint
- * @return null|string
- */
- static function decCharReference( $codepoint ) {
- $point = intval( $codepoint );
- if ( self::validateCodepoint( $point ) ) {
- return sprintf( '&#%d;', $point );
- } else {
- return null;
- }
- }
-
- /**
- * @param int $codepoint
- * @return null|string
- */
- static function hexCharReference( $codepoint ) {
- $point = hexdec( $codepoint );
- if ( self::validateCodepoint( $point ) ) {
- return sprintf( '&#x%x;', $point );
- } else {
- return null;
- }
- }
-
- /**
- * Returns true if a given Unicode codepoint is a valid character in
- * both HTML5 and XML.
- * @param int $codepoint
- * @return bool
- */
- private static function validateCodepoint( $codepoint ) {
- # U+000C is valid in HTML5 but not allowed in XML.
- # U+000D is valid in XML but not allowed in HTML5.
- # U+007F - U+009F are disallowed in HTML5 (control characters).
- return $codepoint == 0x09
- || $codepoint == 0x0a
- || ( $codepoint >= 0x20 && $codepoint <= 0x7e )
- || ( $codepoint >= 0xa0 && $codepoint <= 0xd7ff )
- || ( $codepoint >= 0xe000 && $codepoint <= 0xfffd )
- || ( $codepoint >= 0x10000 && $codepoint <= 0x10ffff );
- }
-
- /**
- * Decode any character references, numeric or named entities,
- * in the text and return a UTF-8 string.
- *
- * @param string $text
- * @return string
- */
- public static function decodeCharReferences( $text ) {
- return preg_replace_callback(
- self::CHAR_REFS_REGEX,
- [ 'Sanitizer', 'decodeCharReferencesCallback' ],
- $text );
- }
-
- /**
- * Decode any character references, numeric or named entities,
- * in the next and normalize the resulting string. (T16952)
- *
- * This is useful for page titles, not for text to be displayed,
- * MediaWiki allows HTML entities to escape normalization as a feature.
- *
- * @param string $text Already normalized, containing entities
- * @return string Still normalized, without entities
- */
- public static function decodeCharReferencesAndNormalize( $text ) {
- global $wgContLang;
- $text = preg_replace_callback(
- self::CHAR_REFS_REGEX,
- [ 'Sanitizer', 'decodeCharReferencesCallback' ],
- $text,
- -1, //limit
- $count
- );
-
- if ( $count ) {
- return $wgContLang->normalize( $text );
- } else {
- return $text;
- }
- }
-
- /**
- * @param string $matches
- * @return string
- */
- static function decodeCharReferencesCallback( $matches ) {
- if ( $matches[1] != '' ) {
- return self::decodeEntity( $matches[1] );
- } elseif ( $matches[2] != '' ) {
- return self::decodeChar( intval( $matches[2] ) );
- } elseif ( $matches[3] != '' ) {
- return self::decodeChar( hexdec( $matches[3] ) );
- }
- # Last case should be an ampersand by itself
- return $matches[0];
- }
-
- /**
- * Return UTF-8 string for a codepoint if that is a valid
- * character reference, otherwise U+FFFD REPLACEMENT CHARACTER.
- * @param int $codepoint
- * @return string
- * @private
- */
- static function decodeChar( $codepoint ) {
- if ( self::validateCodepoint( $codepoint ) ) {
- return UtfNormal\Utils::codepointToUtf8( $codepoint );
- } else {
- return UtfNormal\Constants::UTF8_REPLACEMENT;
- }
- }
-
- /**
- * If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD,
- * return the UTF-8 encoding of that character. Otherwise, returns
- * pseudo-entity source (eg "&foo;")
- *
- * @param string $name
- * @return string
- */
- static function decodeEntity( $name ) {
- if ( isset( self::$htmlEntityAliases[$name] ) ) {
- $name = self::$htmlEntityAliases[$name];
- }
- if ( isset( self::$htmlEntities[$name] ) ) {
- return UtfNormal\Utils::codepointToUtf8( self::$htmlEntities[$name] );
- } else {
- return "&$name;";
- }
- }
-
- /**
- * Fetch the whitelist of acceptable attributes for a given element name.
- *
- * @param string $element
- * @return array
- */
- static function attributeWhitelist( $element ) {
- $list = self::setupAttributeWhitelist();
- return isset( $list[$element] )
- ? $list[$element]
- : [];
- }
-
- /**
- * Foreach array key (an allowed HTML element), return an array
- * of allowed attributes
- * @return array
- */
- static function setupAttributeWhitelist() {
- static $whitelist;
-
- if ( $whitelist !== null ) {
- return $whitelist;
- }
-
- $common = [
- # HTML
- 'id',
- 'class',
- 'style',
- 'lang',
- 'dir',
- 'title',
-
- # WAI-ARIA
- 'aria-describedby',
- 'aria-flowto',
- 'aria-label',
- 'aria-labelledby',
- 'aria-owns',
- 'role',
-
- # RDFa
- # These attributes are specified in section 9 of
- # https://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
- 'about',
- 'property',
- 'resource',
- 'datatype',
- 'typeof',
-
- # Microdata. These are specified by
- # https://html.spec.whatwg.org/multipage/microdata.html#the-microdata-model
- 'itemid',
- 'itemprop',
- 'itemref',
- 'itemscope',
- 'itemtype',
- ];
-
- $block = array_merge( $common, [ 'align' ] );
- $tablealign = [ 'align', 'valign' ];
- $tablecell = [
- 'abbr',
- 'axis',
- 'headers',
- 'scope',
- 'rowspan',
- 'colspan',
- 'nowrap', # deprecated
- 'width', # deprecated
- 'height', # deprecated
- 'bgcolor', # deprecated
- ];
-
- # Numbers refer to sections in HTML 4.01 standard describing the element.
- # See: https://www.w3.org/TR/html4/
- $whitelist = [
- # 7.5.4
- 'div' => $block,
- 'center' => $common, # deprecated
- 'span' => $common,
-
- # 7.5.5
- 'h1' => $block,
- 'h2' => $block,
- 'h3' => $block,
- 'h4' => $block,
- 'h5' => $block,
- 'h6' => $block,
-
- # 7.5.6
- # address
-
- # 8.2.4
- 'bdo' => $common,
-
- # 9.2.1
- 'em' => $common,
- 'strong' => $common,
- 'cite' => $common,
- 'dfn' => $common,
- 'code' => $common,
- 'samp' => $common,
- 'kbd' => $common,
- 'var' => $common,
- 'abbr' => $common,
- # acronym
-
- # 9.2.2
- 'blockquote' => array_merge( $common, [ 'cite' ] ),
- 'q' => array_merge( $common, [ 'cite' ] ),
-
- # 9.2.3
- 'sub' => $common,
- 'sup' => $common,
-
- # 9.3.1
- 'p' => $block,
-
- # 9.3.2
- 'br' => array_merge( $common, [ 'clear' ] ),
-
- # https://www.w3.org/TR/html5/text-level-semantics.html#the-wbr-element
- 'wbr' => $common,
-
- # 9.3.4
- 'pre' => array_merge( $common, [ 'width' ] ),
-
- # 9.4
- 'ins' => array_merge( $common, [ 'cite', 'datetime' ] ),
- 'del' => array_merge( $common, [ 'cite', 'datetime' ] ),
-
- # 10.2
- 'ul' => array_merge( $common, [ 'type' ] ),
- 'ol' => array_merge( $common, [ 'type', 'start', 'reversed' ] ),
- 'li' => array_merge( $common, [ 'type', 'value' ] ),
-
- # 10.3
- 'dl' => $common,
- 'dd' => $common,
- 'dt' => $common,
-
- # 11.2.1
- 'table' => array_merge( $common,
- [ 'summary', 'width', 'border', 'frame',
- 'rules', 'cellspacing', 'cellpadding',
- 'align', 'bgcolor',
- ] ),
-
- # 11.2.2
- 'caption' => $block,
-
- # 11.2.3
- 'thead' => $common,
- 'tfoot' => $common,
- 'tbody' => $common,
-
- # 11.2.4
- 'colgroup' => array_merge( $common, [ 'span' ] ),
- 'col' => array_merge( $common, [ 'span' ] ),
-
- # 11.2.5
- 'tr' => array_merge( $common, [ 'bgcolor' ], $tablealign ),
-
- # 11.2.6
- 'td' => array_merge( $common, $tablecell, $tablealign ),
- 'th' => array_merge( $common, $tablecell, $tablealign ),
-
- # 12.2
- # NOTE: <a> is not allowed directly, but the attrib
- # whitelist is used from the Parser object
- 'a' => array_merge( $common, [ 'href', 'rel', 'rev' ] ), # rel/rev esp. for RDFa
-
- # 13.2
- # Not usually allowed, but may be used for extension-style hooks
- # such as <math> when it is rasterized, or if $wgAllowImageTag is
- # true
- 'img' => array_merge( $common, [ 'alt', 'src', 'width', 'height', 'srcset' ] ),
-
- 'video' => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ),
- 'source' => array_merge( $common, [ 'type', 'src' ] ),
- 'track' => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ),
-
- # 15.2.1
- 'tt' => $common,
- 'b' => $common,
- 'i' => $common,
- 'big' => $common,
- 'small' => $common,
- 'strike' => $common,
- 's' => $common,
- 'u' => $common,
-
- # 15.2.2
- 'font' => array_merge( $common, [ 'size', 'color', 'face' ] ),
- # basefont
-
- # 15.3
- 'hr' => array_merge( $common, [ 'width' ] ),
-
- # HTML Ruby annotation text module, simple ruby only.
- # https://www.w3.org/TR/html5/text-level-semantics.html#the-ruby-element
- 'ruby' => $common,
- # rbc
- 'rb' => $common,
- 'rp' => $common,
- 'rt' => $common, # array_merge( $common, array( 'rbspan' ) ),
- 'rtc' => $common,
-
- # MathML root element, where used for extensions
- # 'title' may not be 100% valid here; it's XHTML
- # https://www.w3.org/TR/REC-MathML/
- 'math' => [ 'class', 'style', 'id', 'title' ],
-
- // HTML 5 section 4.5
- 'figure' => $common,
- 'figcaption' => $common,
-
- # HTML 5 section 4.6
- 'bdi' => $common,
-
- # HTML5 elements, defined by:
- # https://html.spec.whatwg.org/multipage/semantics.html#the-data-element
- 'data' => array_merge( $common, [ 'value' ] ),
- 'time' => array_merge( $common, [ 'datetime' ] ),
- 'mark' => $common,
-
- // meta and link are only permitted by removeHTMLtags when Microdata
- // is enabled so we don't bother adding a conditional to hide these
- // Also meta and link are only valid in WikiText as Microdata elements
- // (ie: validateTag rejects tags missing the attributes needed for Microdata)
- // So we don't bother including $common attributes that have no purpose.
- 'meta' => [ 'itemprop', 'content' ],
- 'link' => [ 'itemprop', 'href', 'title' ],
- ];
-
- return $whitelist;
- }
-
- /**
- * Take a fragment of (potentially invalid) HTML and return
- * a version with any tags removed, encoded as plain text.
- *
- * Warning: this return value must be further escaped for literal
- * inclusion in HTML output as of 1.10!
- *
- * @param string $text HTML fragment
- * @return string
- */
- static function stripAllTags( $text ) {
- # Actual <tags>
- $text = StringUtils::delimiterReplace( '<', '>', '', $text );
-
- # Normalize &entities and whitespace
- $text = self::decodeCharReferences( $text );
- $text = self::normalizeWhitespace( $text );
-
- return $text;
- }
-
- /**
- * Hack up a private DOCTYPE with HTML's standard entity declarations.
- * PHP 4 seemed to know these if you gave it an HTML doctype, but
- * PHP 5.1 doesn't.
- *
- * Use for passing XHTML fragments to PHP's XML parsing functions
- *
- * @return string
- */
- static function hackDocType() {
- $out = "<!DOCTYPE html [\n";
- foreach ( self::$htmlEntities as $entity => $codepoint ) {
- $out .= "<!ENTITY $entity \"&#$codepoint;\">";
- }
- $out .= "]>\n";
- return $out;
- }
-
- /**
- * @param string $url
- * @return mixed|string
- */
- static function cleanUrl( $url ) {
- # Normalize any HTML entities in input. They will be
- # re-escaped by makeExternalLink().
- $url = self::decodeCharReferences( $url );
-
- # Escape any control characters introduced by the above step
- $url = preg_replace_callback( '/[\][<>"\\x00-\\x20\\x7F\|]/',
- [ __CLASS__, 'cleanUrlCallback' ], $url );
-
- # Validate hostname portion
- $matches = [];
- if ( preg_match( '!^([^:]+:)(//[^/]+)?(.*)$!iD', $url, $matches ) ) {
- list( /* $whole */, $protocol, $host, $rest ) = $matches;
-
- // Characters that will be ignored in IDNs.
- // https://tools.ietf.org/html/rfc3454#section-3.1
- // Strip them before further processing so blacklists and such work.
- $strip = "/
- \\s| # general whitespace
- \xc2\xad| # 00ad SOFT HYPHEN
- \xe1\xa0\x86| # 1806 MONGOLIAN TODO SOFT HYPHEN
- \xe2\x80\x8b| # 200b ZERO WIDTH SPACE
- \xe2\x81\xa0| # 2060 WORD JOINER
- \xef\xbb\xbf| # feff ZERO WIDTH NO-BREAK SPACE
- \xcd\x8f| # 034f COMBINING GRAPHEME JOINER
- \xe1\xa0\x8b| # 180b MONGOLIAN FREE VARIATION SELECTOR ONE
- \xe1\xa0\x8c| # 180c MONGOLIAN FREE VARIATION SELECTOR TWO
- \xe1\xa0\x8d| # 180d MONGOLIAN FREE VARIATION SELECTOR THREE
- \xe2\x80\x8c| # 200c ZERO WIDTH NON-JOINER
- \xe2\x80\x8d| # 200d ZERO WIDTH JOINER
- [\xef\xb8\x80-\xef\xb8\x8f] # fe00-fe0f VARIATION SELECTOR-1-16
- /xuD";
-
- $host = preg_replace( $strip, '', $host );
-
- // IPv6 host names are bracketed with []. Url-decode these.
- if ( substr_compare( "//%5B", $host, 0, 5 ) === 0 &&
- preg_match( '!^//%5B([0-9A-Fa-f:.]+)%5D((:\d+)?)$!', $host, $matches )
- ) {
- $host = '//[' . $matches[1] . ']' . $matches[2];
- }
-
- // @todo FIXME: Validate hostnames here
-
- return $protocol . $host . $rest;
- } else {
- return $url;
- }
- }
-
- /**
- * @param array $matches
- * @return string
- */
- static function cleanUrlCallback( $matches ) {
- return urlencode( $matches[0] );
- }
-
- /**
- * Does a string look like an e-mail address?
- *
- * This validates an email address using an HTML5 specification found at:
- * http://www.whatwg.org/html/states-of-the-type-attribute.html#valid-e-mail-address
- * Which as of 2011-01-24 says:
- *
- * A valid e-mail address is a string that matches the ABNF production
- * 1*( atext / "." ) "@" ldh-str *( "." ldh-str ) where atext is defined
- * in RFC 5322 section 3.2.3, and ldh-str is defined in RFC 1034 section
- * 3.5.
- *
- * This function is an implementation of the specification as requested in
- * T24449.
- *
- * Client-side forms will use the same standard validation rules via JS or
- * HTML 5 validation; additional restrictions can be enforced server-side
- * by extensions via the 'isValidEmailAddr' hook.
- *
- * Note that this validation doesn't 100% match RFC 2822, but is believed
- * to be liberal enough for wide use. Some invalid addresses will still
- * pass validation here.
- *
- * @since 1.18
- *
- * @param string $addr E-mail address
- * @return bool
- */
- public static function validateEmail( $addr ) {
- $result = null;
- if ( !Hooks::run( 'isValidEmailAddr', [ $addr, &$result ] ) ) {
- return $result;
- }
-
- // Please note strings below are enclosed in brackets [], this make the
- // hyphen "-" a range indicator. Hence it is double backslashed below.
- // See T28948
- $rfc5322_atext = "a-z0-9!#$%&'*+\\-\/=?^_`{|}~";
- $rfc1034_ldh_str = "a-z0-9\\-";
-
- $html5_email_regexp = "/
- ^ # start of string
- [$rfc5322_atext\\.]+ # user part which is liberal :p
- @ # 'apostrophe'
- [$rfc1034_ldh_str]+ # First domain part
- (\\.[$rfc1034_ldh_str]+)* # Following part prefixed with a dot
- $ # End of string
- /ix"; // case Insensitive, eXtended
-
- return (bool)preg_match( $html5_email_regexp, $addr );
- }
-}
} else {
$type = 'NULL'; // allow everything
}
+ }
- if ( $type == 'password' || !empty( $paramSettings[self::PARAM_SENSITIVE] ) ) {
- $this->getMain()->markParamsSensitive( $encParamName );
- }
+ if ( $type == 'password' || !empty( $paramSettings[self::PARAM_SENSITIVE] ) ) {
+ $this->getMain()->markParamsSensitive( $encParamName );
}
if ( $type == 'boolean' ) {
*/
abstract public function getMimeType();
+ /**
+ * Return a filename for this module's output.
+ * @note If $this->getIsWrappedHtml() || $this->getIsHtml(), you'll very
+ * likely want to fall back to this class's version.
+ * @since 1.27
+ * @return string Generally this should be "api-result.$ext", and must be
+ * encoded for inclusion in a Content-Disposition header's filename parameter.
+ */
+ public function getFilename() {
+ if ( $this->getIsWrappedHtml() ) {
+ return 'api-result-wrapped.json';
+ } elseif ( $this->getIsHtml() ) {
+ return 'api-result.html';
+ } else {
+ $exts = MimeMagic::singleton()->getExtensionsForType( $this->getMimeType() );
+ $ext = $exts ? strtok( $exts, ' ' ) : strtolower( $this->mFormat );
+ return "api-result.$ext";
+ }
+ }
+
/**
* Get the internal format name
* @return string
if ( $apiFrameOptions ) {
$this->getMain()->getRequest()->response()->header( "X-Frame-Options: $apiFrameOptions" );
}
+
+ // Set a Content-Disposition header so something downloading an API
+ // response uses a halfway-sensible filename (T128209).
+ $filename = $this->getFilename();
+ $this->getMain()->getRequest()->response()->header(
+ "Content-Disposition: inline; filename=\"{$filename}\""
+ );
}
/**
return $data['mime'];
}
+ public function getFilename() {
+ $data = $this->getResult()->getResultData();
+ if ( isset( $data['error'] ) ) {
+ return $this->errorFallback->getFilename();
+ } elseif ( !isset( $data['filename'] ) || $this->getIsWrappedHtml() || $this->getIsHtml() ) {
+ return parent::getFilename();
+ } else {
+ return $data['filename'];
+ }
+ }
+
public function initPrinter( $unused = false ) {
$data = $this->getResult()->getResultData();
if ( isset( $data['error'] ) || isset( $data['errors'] ) ) {
if ( $params['wrap'] ) {
$data = [
'mime' => 'text/html',
+ 'filename' => 'api-help.html',
'help' => $html,
];
ApiResult::setSubelementsList( $data, 'help' );
$result->reset();
$result->addValue( null, 'text', $html, ApiResult::NO_SIZE_CHECK );
$result->addValue( null, 'mime', 'text/html', ApiResult::NO_SIZE_CHECK );
+ $result->addValue( null, 'filename', 'api-help.html', ApiResult::NO_SIZE_CHECK );
}
}
$session = $status->getValue();
$authRes = 'Success';
$loginType = 'BotPassword';
- } elseif ( !$botLoginData[2] ) {
+ } elseif ( !$botLoginData[2] || $status->hasMessage( 'login-throttled' ) ) {
$authRes = 'Failed';
$message = $status->getMessage();
LoggerFactory::getInstance( 'authentication' )->info(
// Raw formatter will handle this
$result->addValue( null, 'text', $sink, ApiResult::NO_SIZE_CHECK );
$result->addValue( null, 'mime', 'text/xml', ApiResult::NO_SIZE_CHECK );
+ $result->addValue( null, 'filename', 'export.xml', ApiResult::NO_SIZE_CHECK );
} else {
$result->addValue( 'query', 'export', $sink, ApiResult::NO_SIZE_CHECK );
$result->addValue( 'query', ApiResult::META_BC_SUBELEMENTS, [ 'export' ] );
__METHOD__
);
if ( !$row ) {
- return AuthenticationResponse::newAbstain();
+ // Do not reveal whether its bad username or
+ // bad password to prevent username enumeration
+ // on private wikis. (T134100)
+ return $this->failResponse( $req );
}
$oldRow = clone $row;
--- /dev/null
+<?php
+/**
+ * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+/**
+ * Creates a .htaccess in the vendor/ directory
+ * to prevent web access.
+ *
+ * This class runs *outside* of the normal MediaWiki
+ * environment and cannot depend upon any MediaWiki
+ * code.
+ */
+class ComposerVendorHtaccessCreator {
+
+ /**
+ * Handle post-install-cmd and post-update-cmd hooks
+ */
+ public static function onEvent() {
+ $fname = dirname( dirname( __DIR__ ) ) . "/vendor/.htaccess";
+ if ( file_exists( $fname ) ) {
+ // Already exists
+ return;
+ }
+
+ file_put_contents( $fname, "Deny from all\n" );
+ }
+}
$logId = WebRequest::getRequestId();
$type = static::class;
return Html::errorBox(
- '[' . $logId . '] ' .
- gmdate( 'Y-m-d H:i:s' ) . ": " .
- $this->msg( "internalerror-fatal-exception",
- "Fatal exception of type $1",
- $type,
- $logId,
- MWExceptionHandler::getURL( $this )
+ htmlspecialchars(
+ '[' . $logId . '] ' .
+ gmdate( 'Y-m-d H:i:s' ) . ": " .
+ $this->msg( "internalerror-fatal-exception",
+ "Fatal exception of type $1",
+ $type,
+ $logId,
+ MWExceptionHandler::getURL( $this )
+ )
) ) .
"<!-- Set \$wgShowExceptionDetails = true; " .
"at the bottom of LocalSettings.php to show detailed " .
// Show any custom GUI message before the details
if ( $e instanceof MessageSpecifier ) {
- $wgOut->addHTML( Message::newFromSpecifier( $e )->escaped() );
+ $wgOut->addHTML( Html::element( 'p', [], Message::newFromSpecifier( $e )->text() ) );
}
$wgOut->addHTML( self::getHTML( $e ) );
} else {
$logId = WebRequest::getRequestId();
$html = "<div class=\"errorbox mw-content-ltr\">" .
- '[' . $logId . '] ' .
- gmdate( 'Y-m-d H:i:s' ) . ": " .
- self::msg( "internalerror-fatal-exception",
- "Fatal exception of type $1",
- get_class( $e ),
- $logId,
- MWExceptionHandler::getURL()
- ) . "</div>\n" .
+ htmlspecialchars(
+ '[' . $logId . '] ' .
+ gmdate( 'Y-m-d H:i:s' ) . ": " .
+ self::msg( "internalerror-fatal-exception",
+ "Fatal exception of type $1",
+ get_class( $e ),
+ $logId,
+ MWExceptionHandler::getURL()
+ ) ) . "</div>\n" .
"<!-- " . wordwrap( self::getShowBacktraceError( $e ), 50 ) . " -->";
}
}
}
+ /**
+ * Get the language code from the available languages for this file that matches the language
+ * requested by the user
+ *
+ * @param string $userPreferredLanguage
+ * @return string|null
+ */
+ public function getMatchedLanguage( $userPreferredLanguage ) {
+ $handler = $this->getHandler();
+ if ( $handler && method_exists( $handler, 'getMatchedLanguage' ) ) {
+ return $handler->getMatchedLanguage(
+ $userPreferredLanguage,
+ $handler->getAvailableLanguages( $this )
+ );
+ } else {
+ return null;
+ }
+ }
+
/**
* In files that support multiple language, what is the default language
* to use if none specified.
"config-email-settings": "Configuración de correo electrónico",
"config-enable-email": "Activar el envío de correos electrónicos",
"config-enable-email-help": "Si quieres que el correo electrónico funcione, la [http://www.php.net/manual/en/mail.configuration.php configuración PHP de correo electrónico] debe ser la correcta.\nSi no quieres la funcionalidad de correo electrónico, puedes desactivarla aquí.",
- "config-email-user": "Habilitar correo electrónico entre usuarios",
+ "config-email-user": "Activar correo electrónico entre usuarios",
"config-email-user-help": "Permitir que todos los usuarios intercambien correos electrónicos si lo han activado en sus preferencias.",
"config-email-usertalk": "Activar notificaciones de páginas de discusión de usuarios",
"config-email-usertalk-help": "Permitir a los usuarios recibir notificaciones de cambios en la página de discusión de usuario, si lo han activado en sus preferencias.",
if ( isset( $metadata['translations'] ) ) {
foreach ( $metadata['translations'] as $lang => $langType ) {
if ( $langType === SVGReader::LANG_FULL_MATCH ) {
- $langList[] = $lang;
+ $langList[] = strtolower( $lang );
}
}
}
}
- return $langList;
+ return array_unique( $langList );
}
/**
- * What language to render file in if none selected.
+ * SVG's systemLanguage matching rules state:
+ * 'The `systemLanguage` attribute ... [e]valuates to "true" if one of the languages indicated
+ * by user preferences exactly equals one of the languages given in the value of this parameter,
+ * or if one of the languages indicated by user preferences exactly equals a prefix of one of
+ * the languages given in the value of this parameter such that the first tag character
+ * following the prefix is "-".'
*
- * @param File $file
- * @return string Language code.
+ * Return the first element of $svgLanguages that matches $userPreferredLanguage
+ *
+ * @see https://www.w3.org/TR/SVG/struct.html#SystemLanguageAttribute
+ * @param string $userPreferredLanguage
+ * @param array $svgLanguages
+ * @return string|null
+ */
+ public function getMatchedLanguage( $userPreferredLanguage, array $svgLanguages ) {
+ foreach ( $svgLanguages as $svgLang ) {
+ if ( strcasecmp( $svgLang, $userPreferredLanguage ) === 0 ) {
+ return $svgLang;
+ }
+ $trimmedSvgLang = $svgLang;
+ while ( strpos( $trimmedSvgLang, '-' ) !== false ) {
+ $trimmedSvgLang = substr( $trimmedSvgLang, 0, strrpos( $trimmedSvgLang, '-' ) );
+ if ( strcasecmp( $trimmedSvgLang, $userPreferredLanguage ) === 0 ) {
+ return $svgLang;
+ }
+ }
+ }
+ return null;
+ }
+
+ /**
+ * What language to render file in if none selected
+ *
+ * @param File $file Language code
+ * @return string
*/
public function getDefaultRenderLanguage( File $file ) {
return 'en';
return ( $value > 0 );
} elseif ( $name == 'lang' ) {
// Validate $code
- if ( $value === '' || !Language::isValidBuiltInCode( $value ) ) {
+ if ( $value === '' || !Language::isValidCode( $value ) ) {
wfDebug( "Invalid user language code\n" );
return false;
public function makeParamString( $params ) {
$lang = '';
if ( isset( $params['lang'] ) && $params['lang'] !== 'en' ) {
- $params['lang'] = strtolower( $params['lang'] );
- $lang = "lang{$params['lang']}-";
+ $lang = 'lang' . strtolower( $params['lang'] ) . '-';
}
if ( !isset( $params['width'] ) ) {
return false;
public function parseParamString( $str ) {
$m = false;
- if ( preg_match( '/^lang([a-z]+(?:-[a-z]+)*)-(\d+)px$/', $str, $m ) ) {
+ if ( preg_match( '/^lang([a-z]+(?:-[a-z]+)*)-(\d+)px$/i', $str, $m ) ) {
return [ 'width' => array_pop( $m ), 'lang' => $m[1] ];
} elseif ( preg_match( '/^(\d+)px$/', $str, $m ) ) {
return [ 'width' => $m[1], 'lang' => 'en' ];
return parent::getContentObject();
}
+ private function getLanguageForRendering( WebRequest $request, File $file ) {
+ $handler = $this->displayImg->getHandler();
+
+ $requestLanguage = $request->getVal( 'lang' );
+ if ( !is_null( $requestLanguage ) ) {
+ if ( $handler && $handler->validateParam( 'lang', $requestLanguage ) ) {
+ return $requestLanguage;
+ }
+ }
+
+ return $handler->getDefaultRenderLanguage( $this->displayImg );
+ }
+
protected function openShowImage() {
global $wgEnableUploads, $wgSend404Code, $wgSVGMaxSize;
$params = [ 'page' => $page ];
}
- $renderLang = $request->getVal( 'lang' );
+ $renderLang = $this->getLanguageForRendering( $request, $this->displayImg );
if ( !is_null( $renderLang ) ) {
- $handler = $this->displayImg->getHandler();
- if ( $handler && $handler->validateParam( 'lang', $renderLang ) ) {
- $params['lang'] = $renderLang;
- } else {
- $renderLang = null;
- }
+ $params['lang'] = $renderLang;
}
$width_orig = $this->displayImg->getWidth( $page );
$renderLangOptions = $this->displayImg->getAvailableLanguages();
if ( count( $renderLangOptions ) >= 1 ) {
- $currentLanguage = $renderLang;
- $defaultLang = $this->displayImg->getDefaultRenderLanguage();
- if ( is_null( $currentLanguage ) ) {
- $currentLanguage = $defaultLang;
- }
- $out->addHTML( $this->doRenderLangOpt( $renderLangOptions, $currentLanguage, $defaultLang ) );
+ $out->addHTML( $this->doRenderLangOpt( $renderLangOptions, $renderLang ) );
}
// Add cannot animate thumbnail warning
* Output a drop-down box for language options for the file
*
* @param array $langChoices Array of string language codes
- * @param string $curLang Language code file is being viewed in.
- * @param string $defaultLang Language code that image is rendered in by default
+ * @param string $renderLang Language code for the language we want the file to rendered in.
* @return string HTML to insert underneath image.
*/
- protected function doRenderLangOpt( array $langChoices, $curLang, $defaultLang ) {
+ protected function doRenderLangOpt( array $langChoices, $renderLang ) {
global $wgScript;
- sort( $langChoices );
- $curLang = LanguageCode::bcp47( $curLang );
- $defaultLang = LanguageCode::bcp47( $defaultLang );
$opts = '';
- $haveCurrentLang = false;
- $haveDefaultLang = false;
-
- // We make a list of all the language choices in the file.
- // Additionally if the default language to render this file
- // is not included as being in this file (for example, in svgs
- // usually the fallback content is the english content) also
- // include a choice for that. Last of all, if we're viewing
- // the file in a language not on the list, add it as a choice.
+
+ $matchedRenderLang = $this->displayImg->getMatchedLanguage( $renderLang );
+
foreach ( $langChoices as $lang ) {
- $code = LanguageCode::bcp47( $lang );
- $name = Language::fetchLanguageName( $code, $this->getContext()->getLanguage()->getCode() );
- if ( $name !== '' ) {
- $display = $this->getContext()->msg( 'img-lang-opt', $code, $name )->text();
- } else {
- $display = $code;
- }
- $opts .= "\n" . Xml::option( $display, $code, $curLang === $code );
- if ( $curLang === $code ) {
- $haveCurrentLang = true;
- }
- if ( $defaultLang === $code ) {
- $haveDefaultLang = true;
- }
- }
- if ( !$haveDefaultLang ) {
- // Its hard to know if the content is really in the default language, or
- // if its just unmarked content that could be in any language.
- $opts = Xml::option(
- $this->getContext()->msg( 'img-lang-default' )->text(),
- $defaultLang,
- $defaultLang === $curLang
- ) . $opts;
- }
- if ( !$haveCurrentLang && $defaultLang !== $curLang ) {
- $name = Language::fetchLanguageName( $curLang, $this->getContext()->getLanguage()->getCode() );
- if ( $name !== '' ) {
- $display = $this->getContext()->msg( 'img-lang-opt', $curLang, $name )->text();
- } else {
- $display = $curLang;
- }
- $opts = Xml::option( $display, $curLang, true ) . $opts;
+ $opts .= $this->createXmlOptionStringForLanguage(
+ $lang,
+ $matchedRenderLang === $lang
+ );
}
+ // Allow for the default case in an svg <switch> that is displayed if no
+ // systemLanguage attribute matches
+ $opts .= "\n" .
+ Xml::option(
+ $this->getContext()->msg( 'img-lang-default' )->text(),
+ 'und',
+ is_null( $matchedRenderLang )
+ );
+
$select = Html::rawElement(
'select',
[ 'id' => 'mw-imglangselector', 'name' => 'lang' ],
return $langSelectLine;
}
+ /**
+ * @param $lang string
+ * @param $selected bool
+ * @return string
+ */
+ private function createXmlOptionStringForLanguage( $lang, $selected ) {
+ $code = LanguageCode::bcp47( $lang );
+ $name = Language::fetchLanguageName( $code, $this->getContext()->getLanguage()->getCode() );
+ if ( $name !== '' ) {
+ $display = $this->getContext()->msg( 'img-lang-opt', $code, $name )->text();
+ } else {
+ $display = $code;
+ }
+ return "\n" .
+ Xml::option(
+ $display,
+ $lang,
+ $selected
+ );
+ }
+
/**
* Get the width and height to display image at.
*
--- /dev/null
+<?php
+/**
+ * HTML sanitizer for %MediaWiki.
+ *
+ * Copyright © 2002-2005 Brion Vibber <brion@pobox.com> et al
+ * https://www.mediawiki.org/
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ * @ingroup Parser
+ */
+
+/**
+ * HTML sanitizer for MediaWiki
+ * @ingroup Parser
+ */
+class Sanitizer {
+ /**
+ * Regular expression to match various types of character references in
+ * Sanitizer::normalizeCharReferences and Sanitizer::decodeCharReferences
+ */
+ const CHAR_REFS_REGEX =
+ '/&([A-Za-z0-9\x80-\xff]+);
+ |&\#([0-9]+);
+ |&\#[xX]([0-9A-Fa-f]+);
+ |(&)/x';
+
+ /**
+ * Acceptable tag name charset from HTML5 parsing spec
+ * https://www.w3.org/TR/html5/syntax.html#tag-open-state
+ */
+ const ELEMENT_BITS_REGEX = '!^(/?)([A-Za-z][^\t\n\v />\0]*+)([^>]*?)(/?>)([^<]*)$!';
+
+ /**
+ * Blacklist for evil uris like javascript:
+ * WARNING: DO NOT use this in any place that actually requires blacklisting
+ * for security reasons. There are NUMEROUS[1] ways to bypass blacklisting, the
+ * only way to be secure from javascript: uri based xss vectors is to whitelist
+ * things that you know are safe and deny everything else.
+ * [1]: http://ha.ckers.org/xss.html
+ */
+ const EVIL_URI_PATTERN = '!(^|\s|\*/\s*)(javascript|vbscript)([^\w]|$)!i';
+ const XMLNS_ATTRIBUTE_PATTERN = "/^xmlns:[:A-Z_a-z-.0-9]+$/";
+
+ /**
+ * Tells escapeUrlForHtml() to encode the ID using the wiki's primary encoding.
+ *
+ * @since 1.30
+ */
+ const ID_PRIMARY = 0;
+
+ /**
+ * Tells escapeUrlForHtml() to encode the ID using the fallback encoding, or return false
+ * if no fallback is configured.
+ *
+ * @since 1.30
+ */
+ const ID_FALLBACK = 1;
+
+ /**
+ * List of all named character entities defined in HTML 4.01
+ * https://www.w3.org/TR/html4/sgml/entities.html
+ * As well as ' which is only defined starting in XHTML1.
+ */
+ private static $htmlEntities = [
+ 'Aacute' => 193,
+ 'aacute' => 225,
+ 'Acirc' => 194,
+ 'acirc' => 226,
+ 'acute' => 180,
+ 'AElig' => 198,
+ 'aelig' => 230,
+ 'Agrave' => 192,
+ 'agrave' => 224,
+ 'alefsym' => 8501,
+ 'Alpha' => 913,
+ 'alpha' => 945,
+ 'amp' => 38,
+ 'and' => 8743,
+ 'ang' => 8736,
+ 'apos' => 39, // New in XHTML & HTML 5; avoid in output for compatibility with IE.
+ 'Aring' => 197,
+ 'aring' => 229,
+ 'asymp' => 8776,
+ 'Atilde' => 195,
+ 'atilde' => 227,
+ 'Auml' => 196,
+ 'auml' => 228,
+ 'bdquo' => 8222,
+ 'Beta' => 914,
+ 'beta' => 946,
+ 'brvbar' => 166,
+ 'bull' => 8226,
+ 'cap' => 8745,
+ 'Ccedil' => 199,
+ 'ccedil' => 231,
+ 'cedil' => 184,
+ 'cent' => 162,
+ 'Chi' => 935,
+ 'chi' => 967,
+ 'circ' => 710,
+ 'clubs' => 9827,
+ 'cong' => 8773,
+ 'copy' => 169,
+ 'crarr' => 8629,
+ 'cup' => 8746,
+ 'curren' => 164,
+ 'dagger' => 8224,
+ 'Dagger' => 8225,
+ 'darr' => 8595,
+ 'dArr' => 8659,
+ 'deg' => 176,
+ 'Delta' => 916,
+ 'delta' => 948,
+ 'diams' => 9830,
+ 'divide' => 247,
+ 'Eacute' => 201,
+ 'eacute' => 233,
+ 'Ecirc' => 202,
+ 'ecirc' => 234,
+ 'Egrave' => 200,
+ 'egrave' => 232,
+ 'empty' => 8709,
+ 'emsp' => 8195,
+ 'ensp' => 8194,
+ 'Epsilon' => 917,
+ 'epsilon' => 949,
+ 'equiv' => 8801,
+ 'Eta' => 919,
+ 'eta' => 951,
+ 'ETH' => 208,
+ 'eth' => 240,
+ 'Euml' => 203,
+ 'euml' => 235,
+ 'euro' => 8364,
+ 'exist' => 8707,
+ 'fnof' => 402,
+ 'forall' => 8704,
+ 'frac12' => 189,
+ 'frac14' => 188,
+ 'frac34' => 190,
+ 'frasl' => 8260,
+ 'Gamma' => 915,
+ 'gamma' => 947,
+ 'ge' => 8805,
+ 'gt' => 62,
+ 'harr' => 8596,
+ 'hArr' => 8660,
+ 'hearts' => 9829,
+ 'hellip' => 8230,
+ 'Iacute' => 205,
+ 'iacute' => 237,
+ 'Icirc' => 206,
+ 'icirc' => 238,
+ 'iexcl' => 161,
+ 'Igrave' => 204,
+ 'igrave' => 236,
+ 'image' => 8465,
+ 'infin' => 8734,
+ 'int' => 8747,
+ 'Iota' => 921,
+ 'iota' => 953,
+ 'iquest' => 191,
+ 'isin' => 8712,
+ 'Iuml' => 207,
+ 'iuml' => 239,
+ 'Kappa' => 922,
+ 'kappa' => 954,
+ 'Lambda' => 923,
+ 'lambda' => 955,
+ 'lang' => 9001,
+ 'laquo' => 171,
+ 'larr' => 8592,
+ 'lArr' => 8656,
+ 'lceil' => 8968,
+ 'ldquo' => 8220,
+ 'le' => 8804,
+ 'lfloor' => 8970,
+ 'lowast' => 8727,
+ 'loz' => 9674,
+ 'lrm' => 8206,
+ 'lsaquo' => 8249,
+ 'lsquo' => 8216,
+ 'lt' => 60,
+ 'macr' => 175,
+ 'mdash' => 8212,
+ 'micro' => 181,
+ 'middot' => 183,
+ 'minus' => 8722,
+ 'Mu' => 924,
+ 'mu' => 956,
+ 'nabla' => 8711,
+ 'nbsp' => 160,
+ 'ndash' => 8211,
+ 'ne' => 8800,
+ 'ni' => 8715,
+ 'not' => 172,
+ 'notin' => 8713,
+ 'nsub' => 8836,
+ 'Ntilde' => 209,
+ 'ntilde' => 241,
+ 'Nu' => 925,
+ 'nu' => 957,
+ 'Oacute' => 211,
+ 'oacute' => 243,
+ 'Ocirc' => 212,
+ 'ocirc' => 244,
+ 'OElig' => 338,
+ 'oelig' => 339,
+ 'Ograve' => 210,
+ 'ograve' => 242,
+ 'oline' => 8254,
+ 'Omega' => 937,
+ 'omega' => 969,
+ 'Omicron' => 927,
+ 'omicron' => 959,
+ 'oplus' => 8853,
+ 'or' => 8744,
+ 'ordf' => 170,
+ 'ordm' => 186,
+ 'Oslash' => 216,
+ 'oslash' => 248,
+ 'Otilde' => 213,
+ 'otilde' => 245,
+ 'otimes' => 8855,
+ 'Ouml' => 214,
+ 'ouml' => 246,
+ 'para' => 182,
+ 'part' => 8706,
+ 'permil' => 8240,
+ 'perp' => 8869,
+ 'Phi' => 934,
+ 'phi' => 966,
+ 'Pi' => 928,
+ 'pi' => 960,
+ 'piv' => 982,
+ 'plusmn' => 177,
+ 'pound' => 163,
+ 'prime' => 8242,
+ 'Prime' => 8243,
+ 'prod' => 8719,
+ 'prop' => 8733,
+ 'Psi' => 936,
+ 'psi' => 968,
+ 'quot' => 34,
+ 'radic' => 8730,
+ 'rang' => 9002,
+ 'raquo' => 187,
+ 'rarr' => 8594,
+ 'rArr' => 8658,
+ 'rceil' => 8969,
+ 'rdquo' => 8221,
+ 'real' => 8476,
+ 'reg' => 174,
+ 'rfloor' => 8971,
+ 'Rho' => 929,
+ 'rho' => 961,
+ 'rlm' => 8207,
+ 'rsaquo' => 8250,
+ 'rsquo' => 8217,
+ 'sbquo' => 8218,
+ 'Scaron' => 352,
+ 'scaron' => 353,
+ 'sdot' => 8901,
+ 'sect' => 167,
+ 'shy' => 173,
+ 'Sigma' => 931,
+ 'sigma' => 963,
+ 'sigmaf' => 962,
+ 'sim' => 8764,
+ 'spades' => 9824,
+ 'sub' => 8834,
+ 'sube' => 8838,
+ 'sum' => 8721,
+ 'sup' => 8835,
+ 'sup1' => 185,
+ 'sup2' => 178,
+ 'sup3' => 179,
+ 'supe' => 8839,
+ 'szlig' => 223,
+ 'Tau' => 932,
+ 'tau' => 964,
+ 'there4' => 8756,
+ 'Theta' => 920,
+ 'theta' => 952,
+ 'thetasym' => 977,
+ 'thinsp' => 8201,
+ 'THORN' => 222,
+ 'thorn' => 254,
+ 'tilde' => 732,
+ 'times' => 215,
+ 'trade' => 8482,
+ 'Uacute' => 218,
+ 'uacute' => 250,
+ 'uarr' => 8593,
+ 'uArr' => 8657,
+ 'Ucirc' => 219,
+ 'ucirc' => 251,
+ 'Ugrave' => 217,
+ 'ugrave' => 249,
+ 'uml' => 168,
+ 'upsih' => 978,
+ 'Upsilon' => 933,
+ 'upsilon' => 965,
+ 'Uuml' => 220,
+ 'uuml' => 252,
+ 'weierp' => 8472,
+ 'Xi' => 926,
+ 'xi' => 958,
+ 'Yacute' => 221,
+ 'yacute' => 253,
+ 'yen' => 165,
+ 'Yuml' => 376,
+ 'yuml' => 255,
+ 'Zeta' => 918,
+ 'zeta' => 950,
+ 'zwj' => 8205,
+ 'zwnj' => 8204
+ ];
+
+ /**
+ * Character entity aliases accepted by MediaWiki
+ */
+ private static $htmlEntityAliases = [
+ 'רלמ' => 'rlm',
+ 'رلم' => 'rlm',
+ ];
+
+ /**
+ * Lazy-initialised attributes regex, see getAttribsRegex()
+ */
+ private static $attribsRegex;
+
+ /**
+ * Regular expression to match HTML/XML attribute pairs within a tag.
+ * Allows some... latitude. Based on,
+ * https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
+ * Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes
+ * @return string
+ */
+ static function getAttribsRegex() {
+ if ( self::$attribsRegex === null ) {
+ $attribFirst = "[:_\p{L}\p{N}]";
+ $attrib = "[:_\.\-\p{L}\p{N}]";
+ $space = '[\x09\x0a\x0c\x0d\x20]';
+ self::$attribsRegex =
+ "/(?:^|$space)({$attribFirst}{$attrib}*)
+ ($space*=$space*
+ (?:
+ # The attribute value: quoted or alone
+ \"([^\"]*)(?:\"|\$)
+ | '([^']*)(?:'|\$)
+ | (((?!$space|>).)*)
+ )
+ )?(?=$space|\$)/sxu";
+ }
+ return self::$attribsRegex;
+ }
+
+ /**
+ * Return the various lists of recognized tags
+ * @param array $extratags For any extra tags to include
+ * @param array $removetags For any tags (default or extra) to exclude
+ * @return array
+ */
+ public static function getRecognizedTagData( $extratags = [], $removetags = [] ) {
+ global $wgAllowImageTag;
+
+ static $htmlpairsStatic, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
+ $htmllist, $listtags, $htmlsingleallowed, $htmlelementsStatic, $staticInitialised;
+
+ // Base our staticInitialised variable off of the global config state so that if the globals
+ // are changed (like in the screwed up test system) we will re-initialise the settings.
+ $globalContext = $wgAllowImageTag;
+ if ( !$staticInitialised || $staticInitialised != $globalContext ) {
+ $htmlpairsStatic = [ # Tags that must be closed
+ 'b', 'bdi', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
+ 'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
+ 'strike', 'strong', 'tt', 'var', 'div', 'center',
+ 'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
+ 'ruby', 'rb', 'rp', 'rt', 'rtc', 'p', 'span', 'abbr', 'dfn',
+ 'kbd', 'samp', 'data', 'time', 'mark'
+ ];
+ $htmlsingle = [
+ 'br', 'wbr', 'hr', 'li', 'dt', 'dd', 'meta', 'link'
+ ];
+
+ # Elements that cannot have close tags. This is (not coincidentally)
+ # also the list of tags for which the HTML 5 parsing algorithm
+ # requires you to "acknowledge the token's self-closing flag", i.e.
+ # a self-closing tag like <br/> is not an HTML 5 parse error only
+ # for this list.
+ $htmlsingleonly = [
+ 'br', 'wbr', 'hr', 'meta', 'link'
+ ];
+
+ $htmlnest = [ # Tags that can be nested--??
+ 'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
+ 'li', 'dl', 'dt', 'dd', 'font', 'big', 'small', 'sub', 'sup', 'span',
+ 'var', 'kbd', 'samp', 'em', 'strong', 'q', 'ruby', 'bdo'
+ ];
+ $tabletags = [ # Can only appear inside table, we will close them
+ 'td', 'th', 'tr',
+ ];
+ $htmllist = [ # Tags used by list
+ 'ul', 'ol',
+ ];
+ $listtags = [ # Tags that can appear in a list
+ 'li',
+ ];
+
+ if ( $wgAllowImageTag ) {
+ $htmlsingle[] = 'img';
+ $htmlsingleonly[] = 'img';
+ }
+
+ $htmlsingleallowed = array_unique( array_merge( $htmlsingle, $tabletags ) );
+ $htmlelementsStatic = array_unique( array_merge( $htmlsingle, $htmlpairsStatic, $htmlnest ) );
+
+ # Convert them all to hashtables for faster lookup
+ $vars = [ 'htmlpairsStatic', 'htmlsingle', 'htmlsingleonly', 'htmlnest', 'tabletags',
+ 'htmllist', 'listtags', 'htmlsingleallowed', 'htmlelementsStatic' ];
+ foreach ( $vars as $var ) {
+ $$var = array_flip( $$var );
+ }
+ $staticInitialised = $globalContext;
+ }
+
+ # Populate $htmlpairs and $htmlelements with the $extratags and $removetags arrays
+ $extratags = array_flip( $extratags );
+ $removetags = array_flip( $removetags );
+ $htmlpairs = array_merge( $extratags, $htmlpairsStatic );
+ $htmlelements = array_diff_key( array_merge( $extratags, $htmlelementsStatic ), $removetags );
+
+ return [
+ 'htmlpairs' => $htmlpairs,
+ 'htmlsingle' => $htmlsingle,
+ 'htmlsingleonly' => $htmlsingleonly,
+ 'htmlnest' => $htmlnest,
+ 'tabletags' => $tabletags,
+ 'htmllist' => $htmllist,
+ 'listtags' => $listtags,
+ 'htmlsingleallowed' => $htmlsingleallowed,
+ 'htmlelements' => $htmlelements,
+ ];
+ }
+
+ /**
+ * Cleans up HTML, removes dangerous tags and attributes, and
+ * removes HTML comments
+ * @param string $text
+ * @param callable $processCallback Callback to do any variable or parameter
+ * replacements in HTML attribute values
+ * @param array|bool $args Arguments for the processing callback
+ * @param array $extratags For any extra tags to include
+ * @param array $removetags For any tags (default or extra) to exclude
+ * @param callable $warnCallback (Deprecated) Callback allowing the
+ * addition of a tracking category when bad input is encountered.
+ * DO NOT ADD NEW PARAMETERS AFTER $warnCallback, since it will be
+ * removed shortly.
+ * @return string
+ */
+ public static function removeHTMLtags( $text, $processCallback = null,
+ $args = [], $extratags = [], $removetags = [], $warnCallback = null
+ ) {
+ extract( self::getRecognizedTagData( $extratags, $removetags ) );
+
+ # Remove HTML comments
+ $text = self::removeHTMLcomments( $text );
+ $bits = explode( '<', $text );
+ $text = str_replace( '>', '>', array_shift( $bits ) );
+ if ( !MWTidy::isEnabled() ) {
+ $tagstack = $tablestack = [];
+ foreach ( $bits as $x ) {
+ $regs = [];
+ # $slash: Does the current element start with a '/'?
+ # $t: Current element name
+ # $params: String between element name and >
+ # $brace: Ending '>' or '/>'
+ # $rest: Everything until the next element of $bits
+ if ( preg_match( self::ELEMENT_BITS_REGEX, $x, $regs ) ) {
+ list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
+ } else {
+ $slash = $t = $params = $brace = $rest = null;
+ }
+
+ $badtag = false;
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
+ # Check our stack
+ if ( $slash && isset( $htmlsingleonly[$t] ) ) {
+ $badtag = true;
+ } elseif ( $slash ) {
+ # Closing a tag... is it the one we just opened?
+ MediaWiki\suppressWarnings();
+ $ot = array_pop( $tagstack );
+ MediaWiki\restoreWarnings();
+
+ if ( $ot != $t ) {
+ if ( isset( $htmlsingleallowed[$ot] ) ) {
+ # Pop all elements with an optional close tag
+ # and see if we find a match below them
+ $optstack = [];
+ array_push( $optstack, $ot );
+ MediaWiki\suppressWarnings();
+ $ot = array_pop( $tagstack );
+ MediaWiki\restoreWarnings();
+ while ( $ot != $t && isset( $htmlsingleallowed[$ot] ) ) {
+ array_push( $optstack, $ot );
+ MediaWiki\suppressWarnings();
+ $ot = array_pop( $tagstack );
+ MediaWiki\restoreWarnings();
+ }
+ if ( $t != $ot ) {
+ # No match. Push the optional elements back again
+ $badtag = true;
+ MediaWiki\suppressWarnings();
+ $ot = array_pop( $optstack );
+ MediaWiki\restoreWarnings();
+ while ( $ot ) {
+ array_push( $tagstack, $ot );
+ MediaWiki\suppressWarnings();
+ $ot = array_pop( $optstack );
+ MediaWiki\restoreWarnings();
+ }
+ }
+ } else {
+ MediaWiki\suppressWarnings();
+ array_push( $tagstack, $ot );
+ MediaWiki\restoreWarnings();
+
+ # <li> can be nested in <ul> or <ol>, skip those cases:
+ if ( !isset( $htmllist[$ot] ) || !isset( $listtags[$t] ) ) {
+ $badtag = true;
+ }
+ }
+ } else {
+ if ( $t == 'table' ) {
+ $tagstack = array_pop( $tablestack );
+ }
+ }
+ $newparams = '';
+ } else {
+ # Keep track for later
+ if ( isset( $tabletags[$t] ) && !in_array( 'table', $tagstack ) ) {
+ $badtag = true;
+ } elseif ( in_array( $t, $tagstack ) && !isset( $htmlnest[$t] ) ) {
+ $badtag = true;
+ # Is it a self closed htmlpair ? (T7487)
+ } elseif ( $brace == '/>' && isset( $htmlpairs[$t] ) ) {
+ // Eventually we'll just remove the self-closing
+ // slash, in order to be consistent with HTML5
+ // semantics.
+ // $brace = '>';
+ // For now, let's just warn authors to clean up.
+ if ( is_callable( $warnCallback ) ) {
+ call_user_func_array( $warnCallback, [ 'deprecated-self-close-category' ] );
+ }
+ $badtag = true;
+ } elseif ( isset( $htmlsingleonly[$t] ) ) {
+ # Hack to force empty tag for unclosable elements
+ $brace = '/>';
+ } elseif ( isset( $htmlsingle[$t] ) ) {
+ # Hack to not close $htmlsingle tags
+ $brace = null;
+ # Still need to push this optionally-closed tag to
+ # the tag stack so that we can match end tags
+ # instead of marking them as bad.
+ array_push( $tagstack, $t );
+ } elseif ( isset( $tabletags[$t] ) && in_array( $t, $tagstack ) ) {
+ // New table tag but forgot to close the previous one
+ $text .= "</$t>";
+ } else {
+ if ( $t == 'table' ) {
+ array_push( $tablestack, $tagstack );
+ $tagstack = [];
+ }
+ array_push( $tagstack, $t );
+ }
+
+ # Replace any variables or template parameters with
+ # plaintext results.
+ if ( is_callable( $processCallback ) ) {
+ call_user_func_array( $processCallback, [ &$params, $args ] );
+ }
+
+ if ( !self::validateTag( $params, $t ) ) {
+ $badtag = true;
+ }
+
+ # Strip non-approved attributes from the tag
+ $newparams = self::fixTagAttributes( $params, $t );
+ }
+ if ( !$badtag ) {
+ $rest = str_replace( '>', '>', $rest );
+ $close = ( $brace == '/>' && !$slash ) ? ' /' : '';
+ $text .= "<$slash$t$newparams$close>$rest";
+ continue;
+ }
+ }
+ $text .= '<' . str_replace( '>', '>', $x );
+ }
+ # Close off any remaining tags
+ while ( is_array( $tagstack ) && ( $t = array_pop( $tagstack ) ) ) {
+ $text .= "</$t>\n";
+ if ( $t == 'table' ) {
+ $tagstack = array_pop( $tablestack );
+ }
+ }
+ } else {
+ # this might be possible using tidy itself
+ foreach ( $bits as $x ) {
+ if ( preg_match( self::ELEMENT_BITS_REGEX, $x, $regs ) ) {
+ list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
+
+ $badtag = false;
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
+ if ( is_callable( $processCallback ) ) {
+ call_user_func_array( $processCallback, [ &$params, $args ] );
+ }
+
+ if ( $brace == '/>' && !( isset( $htmlsingle[$t] ) || isset( $htmlsingleonly[$t] ) ) ) {
+ // Eventually we'll just remove the self-closing
+ // slash, in order to be consistent with HTML5
+ // semantics.
+ // $brace = '>';
+ // For now, let's just warn authors to clean up.
+ if ( is_callable( $warnCallback ) ) {
+ call_user_func_array( $warnCallback, [ 'deprecated-self-close-category' ] );
+ }
+ }
+ if ( !self::validateTag( $params, $t ) ) {
+ $badtag = true;
+ }
+
+ $newparams = self::fixTagAttributes( $params, $t );
+ if ( !$badtag ) {
+ if ( $brace === '/>' && !isset( $htmlsingleonly[$t] ) ) {
+ # Interpret self-closing tags as empty tags even when
+ # HTML 5 would interpret them as start tags. Such input
+ # is commonly seen on Wikimedia wikis with this intention.
+ $brace = "></$t>";
+ }
+
+ $rest = str_replace( '>', '>', $rest );
+ $text .= "<$slash$t$newparams$brace$rest";
+ continue;
+ }
+ }
+ }
+ $text .= '<' . str_replace( '>', '>', $x );
+ }
+ }
+ return $text;
+ }
+
+ /**
+ * Remove '<!--', '-->', and everything between.
+ * To avoid leaving blank lines, when a comment is both preceded
+ * and followed by a newline (ignoring spaces), trim leading and
+ * trailing spaces and one of the newlines.
+ *
+ * @param string $text
+ * @return string
+ */
+ public static function removeHTMLcomments( $text ) {
+ while ( ( $start = strpos( $text, '<!--' ) ) !== false ) {
+ $end = strpos( $text, '-->', $start + 4 );
+ if ( $end === false ) {
+ # Unterminated comment; bail out
+ break;
+ }
+
+ $end += 3;
+
+ # Trim space and newline if the comment is both
+ # preceded and followed by a newline
+ $spaceStart = max( $start - 1, 0 );
+ $spaceLen = $end - $spaceStart;
+ while ( substr( $text, $spaceStart, 1 ) === ' ' && $spaceStart > 0 ) {
+ $spaceStart--;
+ $spaceLen++;
+ }
+ while ( substr( $text, $spaceStart + $spaceLen, 1 ) === ' ' ) {
+ $spaceLen++;
+ }
+ if ( substr( $text, $spaceStart, 1 ) === "\n"
+ && substr( $text, $spaceStart + $spaceLen, 1 ) === "\n" ) {
+ # Remove the comment, leading and trailing
+ # spaces, and leave only one newline.
+ $text = substr_replace( $text, "\n", $spaceStart, $spaceLen + 1 );
+ } else {
+ # Remove just the comment.
+ $text = substr_replace( $text, '', $start, $end - $start );
+ }
+ }
+ return $text;
+ }
+
+ /**
+ * Takes attribute names and values for a tag and the tag name and
+ * validates that the tag is allowed to be present.
+ * This DOES NOT validate the attributes, nor does it validate the
+ * tags themselves. This method only handles the special circumstances
+ * where we may want to allow a tag within content but ONLY when it has
+ * specific attributes set.
+ *
+ * @param string $params
+ * @param string $element
+ * @return bool
+ */
+ static function validateTag( $params, $element ) {
+ $params = self::decodeTagAttributes( $params );
+
+ if ( $element == 'meta' || $element == 'link' ) {
+ if ( !isset( $params['itemprop'] ) ) {
+ // <meta> and <link> must have an itemprop="" otherwise they are not valid or safe in content
+ return false;
+ }
+ if ( $element == 'meta' && !isset( $params['content'] ) ) {
+ // <meta> must have a content="" for the itemprop
+ return false;
+ }
+ if ( $element == 'link' && !isset( $params['href'] ) ) {
+ // <link> must have an associated href=""
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Take an array of attribute names and values and normalize or discard
+ * illegal values for the given element type.
+ *
+ * - Discards attributes not on a whitelist for the given element
+ * - Unsafe style attributes are discarded
+ * - Invalid id attributes are re-encoded
+ *
+ * @param array $attribs
+ * @param string $element
+ * @return array
+ *
+ * @todo Check for legal values where the DTD limits things.
+ * @todo Check for unique id attribute :P
+ */
+ static function validateTagAttributes( $attribs, $element ) {
+ return self::validateAttributes( $attribs,
+ self::attributeWhitelist( $element ) );
+ }
+
+ /**
+ * Take an array of attribute names and values and normalize or discard
+ * illegal values for the given whitelist.
+ *
+ * - Discards attributes not on the given whitelist
+ * - Unsafe style attributes are discarded
+ * - Invalid id attributes are re-encoded
+ *
+ * @param array $attribs
+ * @param array $whitelist List of allowed attribute names
+ * @return array
+ *
+ * @todo Check for legal values where the DTD limits things.
+ * @todo Check for unique id attribute :P
+ */
+ static function validateAttributes( $attribs, $whitelist ) {
+ $whitelist = array_flip( $whitelist );
+ $hrefExp = '/^(' . wfUrlProtocols() . ')[^\s]+$/';
+
+ $out = [];
+ foreach ( $attribs as $attribute => $value ) {
+ # Allow XML namespace declaration to allow RDFa
+ if ( preg_match( self::XMLNS_ATTRIBUTE_PATTERN, $attribute ) ) {
+ if ( !preg_match( self::EVIL_URI_PATTERN, $value ) ) {
+ $out[$attribute] = $value;
+ }
+
+ continue;
+ }
+
+ # Allow any attribute beginning with "data-"
+ # However:
+ # * Disallow data attributes used by MediaWiki code
+ # * Ensure that the attribute is not namespaced by banning
+ # colons.
+ if ( !preg_match( '/^data-[^:]*$/i', $attribute )
+ && !isset( $whitelist[$attribute] )
+ || self::isReservedDataAttribute( $attribute )
+ ) {
+ continue;
+ }
+
+ # Strip javascript "expression" from stylesheets.
+ # https://msdn.microsoft.com/en-us/library/ms537634.aspx
+ if ( $attribute == 'style' ) {
+ $value = self::checkCss( $value );
+ }
+
+ # Escape HTML id attributes
+ if ( $attribute === 'id' ) {
+ $value = self::escapeIdForAttribute( $value, self::ID_PRIMARY );
+ }
+
+ # Escape HTML id reference lists
+ if ( $attribute === 'aria-describedby'
+ || $attribute === 'aria-flowto'
+ || $attribute === 'aria-labelledby'
+ || $attribute === 'aria-owns'
+ ) {
+ $value = self::escapeIdReferenceList( $value );
+ }
+
+ // RDFa and microdata properties allow URLs, URIs and/or CURIs.
+ // Check them for sanity.
+ if ( $attribute === 'rel' || $attribute === 'rev'
+ # RDFa
+ || $attribute === 'about' || $attribute === 'property'
+ || $attribute === 'resource' || $attribute === 'datatype'
+ || $attribute === 'typeof'
+ # HTML5 microdata
+ || $attribute === 'itemid' || $attribute === 'itemprop'
+ || $attribute === 'itemref' || $attribute === 'itemscope'
+ || $attribute === 'itemtype'
+ ) {
+ // Paranoia. Allow "simple" values but suppress javascript
+ if ( preg_match( self::EVIL_URI_PATTERN, $value ) ) {
+ continue;
+ }
+ }
+
+ # NOTE: even though elements using href/src are not allowed directly, supply
+ # validation code that can be used by tag hook handlers, etc
+ if ( $attribute === 'href' || $attribute === 'src' || $attribute === 'poster' ) {
+ if ( !preg_match( $hrefExp, $value ) ) {
+ continue; // drop any href or src attributes not using an allowed protocol.
+ // NOTE: this also drops all relative URLs
+ }
+ }
+
+ // If this attribute was previously set, override it.
+ // Output should only have one attribute of each name.
+ $out[$attribute] = $value;
+ }
+
+ # itemtype, itemid, itemref don't make sense without itemscope
+ if ( !array_key_exists( 'itemscope', $out ) ) {
+ unset( $out['itemtype'] );
+ unset( $out['itemid'] );
+ unset( $out['itemref'] );
+ }
+ # TODO: Strip itemprop if we aren't descendants of an itemscope or pointed to by an itemref.
+
+ return $out;
+ }
+
+ /**
+ * Given an attribute name, checks whether it is a reserved data attribute
+ * (such as data-mw-foo) which is unavailable to user-generated HTML so MediaWiki
+ * core and extension code can safely use it to communicate with frontend code.
+ * @param string $attr Attribute name.
+ * @return bool
+ */
+ public static function isReservedDataAttribute( $attr ) {
+ // data-ooui is reserved for ooui.
+ // data-mw and data-parsoid are reserved for parsoid.
+ // data-mw-<name here> is reserved for extensions (or core) if
+ // they need to communicate some data to the client and want to be
+ // sure that it isn't coming from an untrusted user.
+ // We ignore the possibility of namespaces since user-generated HTML
+ // can't use them anymore.
+ return (bool)preg_match( '/^data-(ooui|mw|parsoid)/i', $attr );
+ }
+
+ /**
+ * Merge two sets of HTML attributes. Conflicting items in the second set
+ * will override those in the first, except for 'class' attributes which
+ * will be combined (if they're both strings).
+ *
+ * @todo implement merging for other attributes such as style
+ * @param array $a
+ * @param array $b
+ * @return array
+ */
+ static function mergeAttributes( $a, $b ) {
+ $out = array_merge( $a, $b );
+ if ( isset( $a['class'] ) && isset( $b['class'] )
+ && is_string( $a['class'] ) && is_string( $b['class'] )
+ && $a['class'] !== $b['class']
+ ) {
+ $classes = preg_split( '/\s+/', "{$a['class']} {$b['class']}",
+ -1, PREG_SPLIT_NO_EMPTY );
+ $out['class'] = implode( ' ', array_unique( $classes ) );
+ }
+ return $out;
+ }
+
+ /**
+ * Normalize CSS into a format we can easily search for hostile input
+ * - decode character references
+ * - decode escape sequences
+ * - convert characters that IE6 interprets into ascii
+ * - remove comments, unless the entire value is one single comment
+ * @param string $value the css string
+ * @return string normalized css
+ */
+ public static function normalizeCss( $value ) {
+ // Decode character references like {
+ $value = self::decodeCharReferences( $value );
+
+ // Decode escape sequences and line continuation
+ // See the grammar in the CSS 2 spec, appendix D.
+ // This has to be done AFTER decoding character references.
+ // This means it isn't possible for this function to return
+ // unsanitized escape sequences. It is possible to manufacture
+ // input that contains character references that decode to
+ // escape sequences that decode to character references, but
+ // it's OK for the return value to contain character references
+ // because the caller is supposed to escape those anyway.
+ static $decodeRegex;
+ if ( !$decodeRegex ) {
+ $space = '[\\x20\\t\\r\\n\\f]';
+ $nl = '(?:\\n|\\r\\n|\\r|\\f)';
+ $backslash = '\\\\';
+ $decodeRegex = "/ $backslash
+ (?:
+ ($nl) | # 1. Line continuation
+ ([0-9A-Fa-f]{1,6})$space? | # 2. character number
+ (.) | # 3. backslash cancelling special meaning
+ () | # 4. backslash at end of string
+ )/xu";
+ }
+ $value = preg_replace_callback( $decodeRegex,
+ [ __CLASS__, 'cssDecodeCallback' ], $value );
+
+ // Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
+ $value = preg_replace_callback(
+ '/[!-[]-z]/u', // U+FF01 to U+FF5A, excluding U+FF3C (T60088)
+ function ( $matches ) {
+ $cp = UtfNormal\Utils::utf8ToCodepoint( $matches[0] );
+ if ( $cp === false ) {
+ return '';
+ }
+ return chr( $cp - 65248 ); // ASCII range \x21-\x7A
+ },
+ $value
+ );
+
+ // Convert more characters IE6 might treat as ascii
+ // U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D
+ $value = str_replace(
+ [ 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ],
+ [ 'r', 'n', 'n', 'l', 'i', '(', '(' ],
+ $value
+ );
+
+ // Let the value through if it's nothing but a single comment, to
+ // allow other functions which may reject it to pass some error
+ // message through.
+ if ( !preg_match( '! ^ \s* /\* [^*\\/]* \*/ \s* $ !x', $value ) ) {
+ // Remove any comments; IE gets token splitting wrong
+ // This must be done AFTER decoding character references and
+ // escape sequences, because those steps can introduce comments
+ // This step cannot introduce character references or escape
+ // sequences, because it replaces comments with spaces rather
+ // than removing them completely.
+ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+
+ // Remove anything after a comment-start token, to guard against
+ // incorrect client implementations.
+ $commentPos = strpos( $value, '/*' );
+ if ( $commentPos !== false ) {
+ $value = substr( $value, 0, $commentPos );
+ }
+ }
+
+ // S followed by repeat, iteration, or prolonged sound marks,
+ // which IE will treat as "ss"
+ $value = preg_replace(
+ '/s(?:
+ \xE3\x80\xB1 | # U+3031
+ \xE3\x82\x9D | # U+309D
+ \xE3\x83\xBC | # U+30FC
+ \xE3\x83\xBD | # U+30FD
+ \xEF\xB9\xBC | # U+FE7C
+ \xEF\xB9\xBD | # U+FE7D
+ \xEF\xBD\xB0 # U+FF70
+ )/ix',
+ 'ss',
+ $value
+ );
+
+ return $value;
+ }
+
+ /**
+ * Pick apart some CSS and check it for forbidden or unsafe structures.
+ * Returns a sanitized string. This sanitized string will have
+ * character references and escape sequences decoded and comments
+ * stripped (unless it is itself one valid comment, in which case the value
+ * will be passed through). If the input is just too evil, only a comment
+ * complaining about evilness will be returned.
+ *
+ * Currently URL references, 'expression', 'tps' are forbidden.
+ *
+ * NOTE: Despite the fact that character references are decoded, the
+ * returned string may contain character references given certain
+ * clever input strings. These character references must
+ * be escaped before the return value is embedded in HTML.
+ *
+ * @param string $value
+ * @return string
+ */
+ static function checkCss( $value ) {
+ $value = self::normalizeCss( $value );
+
+ // Reject problematic keywords and control characters
+ if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ||
+ strpos( $value, UtfNormal\Constants::UTF8_REPLACEMENT ) !== false ) {
+ return '/* invalid control char */';
+ } elseif ( preg_match(
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ | attr\s*\([^)]+[\s,]+url
+ !ix', $value ) ) {
+ return '/* insecure input */';
+ }
+ return $value;
+ }
+
+ /**
+ * @param array $matches
+ * @return string
+ */
+ static function cssDecodeCallback( $matches ) {
+ if ( $matches[1] !== '' ) {
+ // Line continuation
+ return '';
+ } elseif ( $matches[2] !== '' ) {
+ $char = UtfNormal\Utils::codepointToUtf8( hexdec( $matches[2] ) );
+ } elseif ( $matches[3] !== '' ) {
+ $char = $matches[3];
+ } else {
+ $char = '\\';
+ }
+ if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) {
+ // These characters need to be escaped in strings
+ // Clean up the escape sequence to avoid parsing errors by clients
+ return '\\' . dechex( ord( $char ) ) . ' ';
+ } else {
+ // Decode unnecessary escape
+ return $char;
+ }
+ }
+
+ /**
+ * Take a tag soup fragment listing an HTML element's attributes
+ * and normalize it to well-formed XML, discarding unwanted attributes.
+ * Output is safe for further wikitext processing, with escaping of
+ * values that could trigger problems.
+ *
+ * - Normalizes attribute names to lowercase
+ * - Discards attributes not on a whitelist for the given element
+ * - Turns broken or invalid entities into plaintext
+ * - Double-quotes all attribute values
+ * - Attributes without values are given the name as attribute
+ * - Double attributes are discarded
+ * - Unsafe style attributes are discarded
+ * - Prepends space if there are attributes.
+ * - (Optionally) Sorts attributes by name.
+ *
+ * @param string $text
+ * @param string $element
+ * @param bool $sorted Whether to sort the attributes (default: false)
+ * @return string
+ */
+ static function fixTagAttributes( $text, $element, $sorted = false ) {
+ if ( trim( $text ) == '' ) {
+ return '';
+ }
+
+ $decoded = self::decodeTagAttributes( $text );
+ $stripped = self::validateTagAttributes( $decoded, $element );
+
+ if ( $sorted ) {
+ ksort( $stripped );
+ }
+
+ return self::safeEncodeTagAttributes( $stripped );
+ }
+
+ /**
+ * Encode an attribute value for HTML output.
+ * @param string $text
+ * @return string HTML-encoded text fragment
+ */
+ static function encodeAttribute( $text ) {
+ $encValue = htmlspecialchars( $text, ENT_QUOTES );
+
+ // Whitespace is normalized during attribute decoding,
+ // so if we've been passed non-spaces we must encode them
+ // ahead of time or they won't be preserved.
+ $encValue = strtr( $encValue, [
+ "\n" => ' ',
+ "\r" => ' ',
+ "\t" => '	',
+ ] );
+
+ return $encValue;
+ }
+
+ /**
+ * Encode an attribute value for HTML tags, with extra armoring
+ * against further wiki processing.
+ * @param string $text
+ * @return string HTML-encoded text fragment
+ */
+ static function safeEncodeAttribute( $text ) {
+ $encValue = self::encodeAttribute( $text );
+
+ # Templates and links may be expanded in later parsing,
+ # creating invalid or dangerous output. Suppress this.
+ $encValue = strtr( $encValue, [
+ '<' => '<', // This should never happen,
+ '>' => '>', // we've received invalid input
+ '"' => '"', // which should have been escaped.
+ '{' => '{',
+ '}' => '}', // prevent unpaired language conversion syntax
+ '[' => '[',
+ "''" => '''',
+ 'ISBN' => 'ISBN',
+ 'RFC' => 'RFC',
+ 'PMID' => 'PMID',
+ '|' => '|',
+ '__' => '__',
+ ] );
+
+ # Stupid hack
+ $encValue = preg_replace_callback(
+ '/((?i)' . wfUrlProtocols() . ')/',
+ [ 'Sanitizer', 'armorLinksCallback' ],
+ $encValue );
+ return $encValue;
+ }
+
+ /**
+ * Given a value, escape it so that it can be used in an id attribute and
+ * return it. This will use HTML5 validation if $wgExperimentalHtmlIds is
+ * true, allowing anything but ASCII whitespace. Otherwise it will use
+ * HTML 4 rules, which means a narrow subset of ASCII, with bad characters
+ * escaped with lots of dots.
+ *
+ * To ensure we don't have to bother escaping anything, we also strip ', ",
+ * & even if $wgExperimentalIds is true. TODO: Is this the best tactic?
+ * We also strip # because it upsets IE, and % because it could be
+ * ambiguous if it's part of something that looks like a percent escape
+ * (which don't work reliably in fragments cross-browser).
+ *
+ * @deprecated since 1.30, use one of this class' escapeIdFor*() functions
+ *
+ * @see https://www.w3.org/TR/html401/types.html#type-name Valid characters
+ * in the id and name attributes
+ * @see https://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with
+ * the id attribute
+ * @see https://www.w3.org/TR/html5/dom.html#the-id-attribute
+ * HTML5 definition of id attribute
+ *
+ * @param string $id Id to escape
+ * @param string|array $options String or array of strings (default is array()):
+ * 'noninitial': This is a non-initial fragment of an id, not a full id,
+ * so don't pay attention if the first character isn't valid at the
+ * beginning of an id. Only matters if $wgExperimentalHtmlIds is
+ * false.
+ * 'legacy': Behave the way the old HTML 4-based ID escaping worked even
+ * if $wgExperimentalHtmlIds is used, so we can generate extra
+ * anchors and links won't break.
+ * @return string
+ */
+ static function escapeId( $id, $options = [] ) {
+ global $wgExperimentalHtmlIds;
+ $options = (array)$options;
+
+ if ( $wgExperimentalHtmlIds && !in_array( 'legacy', $options ) ) {
+ $id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id );
+ $id = trim( $id, '_' );
+ if ( $id === '' ) {
+ // Must have been all whitespace to start with.
+ return '_';
+ } else {
+ return $id;
+ }
+ }
+
+ // HTML4-style escaping
+ static $replace = [
+ '%3A' => ':',
+ '%' => '.'
+ ];
+
+ $id = urlencode( strtr( $id, ' ', '_' ) );
+ $id = strtr( $id, $replace );
+
+ if ( !preg_match( '/^[a-zA-Z]/', $id ) && !in_array( 'noninitial', $options ) ) {
+ // Initial character must be a letter!
+ $id = "x$id";
+ }
+ return $id;
+ }
+
+ /**
+ * Given a section name or other user-generated or otherwise unsafe string, escapes it to be
+ * a valid HTML id attribute.
+ *
+ * WARNING: unlike escapeId(), the output of this function is not guaranteed to be HTML safe,
+ * be sure to use proper escaping.
+ *
+ * @param string $id String to escape
+ * @param int $mode One of ID_* constants, specifying whether the primary or fallback encoding
+ * should be used.
+ * @return string|bool Escaped ID or false if fallback encoding is requested but it's not
+ * configured.
+ *
+ * @since 1.30
+ */
+ public static function escapeIdForAttribute( $id, $mode = self::ID_PRIMARY ) {
+ global $wgFragmentMode;
+
+ if ( !isset( $wgFragmentMode[$mode] ) ) {
+ if ( $mode === self::ID_PRIMARY ) {
+ throw new UnexpectedValueException( '$wgFragmentMode is configured with no primary mode' );
+ }
+ return false;
+ }
+
+ $internalMode = $wgFragmentMode[$mode];
+
+ return self::escapeIdInternal( $id, $internalMode );
+ }
+
+ /**
+ * Given a section name or other user-generated or otherwise unsafe string, escapes it to be
+ * a valid URL fragment.
+ *
+ * WARNING: unlike escapeId(), the output of this function is not guaranteed to be HTML safe,
+ * be sure to use proper escaping.
+ *
+ * @param string $id String to escape
+ * @return string Escaped ID
+ *
+ * @since 1.30
+ */
+ public static function escapeIdForLink( $id ) {
+ global $wgFragmentMode;
+
+ if ( !isset( $wgFragmentMode[self::ID_PRIMARY] ) ) {
+ throw new UnexpectedValueException( '$wgFragmentMode is configured with no primary mode' );
+ }
+
+ $mode = $wgFragmentMode[self::ID_PRIMARY];
+
+ $id = self::escapeIdInternal( $id, $mode );
+
+ return $id;
+ }
+
+ /**
+ * Given a section name or other user-generated or otherwise unsafe string, escapes it to be
+ * a valid URL fragment for external interwikis.
+ *
+ * @param string $id String to escape
+ * @return string Escaped ID
+ *
+ * @since 1.30
+ */
+ public static function escapeIdForExternalInterwiki( $id ) {
+ global $wgExternalInterwikiFragmentMode;
+
+ $id = self::escapeIdInternal( $id, $wgExternalInterwikiFragmentMode );
+
+ return $id;
+ }
+
+ /**
+ * Helper for escapeIdFor*() functions. Performs most of the actual escaping.
+ *
+ * @param string $id String to escape
+ * @param string $mode One of modes from $wgFragmentMode
+ * @return string
+ */
+ private static function escapeIdInternal( $id, $mode ) {
+ switch ( $mode ) {
+ case 'html5':
+ $id = str_replace( ' ', '_', $id );
+ break;
+ case 'legacy':
+ // This corresponds to 'noninitial' mode of the old escapeId()
+ static $replace = [
+ '%3A' => ':',
+ '%' => '.'
+ ];
+
+ $id = urlencode( str_replace( ' ', '_', $id ) );
+ $id = strtr( $id, $replace );
+ break;
+ case 'html5-legacy':
+ $id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id );
+ $id = trim( $id, '_' );
+ if ( $id === '' ) {
+ // Must have been all whitespace to start with.
+ $id = '_';
+ }
+ break;
+ default:
+ throw new InvalidArgumentException( "Invalid mode '$mode' passed to '" . __METHOD__ );
+ }
+
+ return $id;
+ }
+
+ /**
+ * Given a string containing a space delimited list of ids, escape each id
+ * to match ids escaped by the escapeId() function.
+ *
+ * @todo remove $options completely in 1.32
+ *
+ * @since 1.27
+ *
+ * @param string $referenceString Space delimited list of ids
+ * @param string|array $options Deprecated and does nothing.
+ * @return string
+ */
+ static function escapeIdReferenceList( $referenceString, $options = [] ) {
+ if ( $options ) {
+ wfDeprecated( __METHOD__ . ' with $options', '1.31' );
+ }
+ # Explode the space delimited list string into an array of tokens
+ $references = preg_split( '/\s+/', "{$referenceString}", -1, PREG_SPLIT_NO_EMPTY );
+
+ # Escape each token as an id
+ foreach ( $references as &$ref ) {
+ $ref = self::escapeIdForAttribute( $ref );
+ }
+
+ # Merge the array back to a space delimited list string
+ # If the array is empty, the result will be an empty string ('')
+ $referenceString = implode( ' ', $references );
+
+ return $referenceString;
+ }
+
+ /**
+ * Given a value, escape it so that it can be used as a CSS class and
+ * return it.
+ *
+ * @todo For extra validity, input should be validated UTF-8.
+ *
+ * @see https://www.w3.org/TR/CSS21/syndata.html Valid characters/format
+ *
+ * @param string $class
+ * @return string
+ */
+ static function escapeClass( $class ) {
+ // Convert ugly stuff to underscores and kill underscores in ugly places
+ return rtrim( preg_replace(
+ [ '/(^[0-9\\-])|[\\x00-\\x20!"#$%&\'()*+,.\\/:;<=>?@[\\]^`{|}~]|\\xC2\\xA0/', '/_+/' ],
+ '_',
+ $class ), '_' );
+ }
+
+ /**
+ * Given HTML input, escape with htmlspecialchars but un-escape entities.
+ * This allows (generally harmless) entities like   to survive.
+ *
+ * @param string $html HTML to escape
+ * @return string Escaped input
+ */
+ static function escapeHtmlAllowEntities( $html ) {
+ $html = self::decodeCharReferences( $html );
+ # It seems wise to escape ' as well as ", as a matter of course. Can't
+ # hurt. Use ENT_SUBSTITUTE so that incorrectly truncated multibyte characters
+ # don't cause the entire string to disappear.
+ $html = htmlspecialchars( $html, ENT_QUOTES | ENT_SUBSTITUTE );
+ return $html;
+ }
+
+ /**
+ * Regex replace callback for armoring links against further processing.
+ * @param array $matches
+ * @return string
+ */
+ private static function armorLinksCallback( $matches ) {
+ return str_replace( ':', ':', $matches[1] );
+ }
+
+ /**
+ * Return an associative array of attribute names and values from
+ * a partial tag string. Attribute names are forced to lowercase,
+ * character references are decoded to UTF-8 text.
+ *
+ * @param string $text
+ * @return array
+ */
+ public static function decodeTagAttributes( $text ) {
+ if ( trim( $text ) == '' ) {
+ return [];
+ }
+
+ $attribs = [];
+ $pairs = [];
+ if ( !preg_match_all(
+ self::getAttribsRegex(),
+ $text,
+ $pairs,
+ PREG_SET_ORDER ) ) {
+ return $attribs;
+ }
+
+ foreach ( $pairs as $set ) {
+ $attribute = strtolower( $set[1] );
+ $value = self::getTagAttributeCallback( $set );
+
+ // Normalize whitespace
+ $value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
+ $value = trim( $value );
+
+ // Decode character references
+ $attribs[$attribute] = self::decodeCharReferences( $value );
+ }
+ return $attribs;
+ }
+
+ /**
+ * Build a partial tag string from an associative array of attribute
+ * names and values as returned by decodeTagAttributes.
+ *
+ * @param array $assoc_array
+ * @return string
+ */
+ public static function safeEncodeTagAttributes( $assoc_array ) {
+ $attribs = [];
+ foreach ( $assoc_array as $attribute => $value ) {
+ $encAttribute = htmlspecialchars( $attribute );
+ $encValue = self::safeEncodeAttribute( $value );
+
+ $attribs[] = "$encAttribute=\"$encValue\"";
+ }
+ return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
+ }
+
+ /**
+ * Pick the appropriate attribute value from a match set from the
+ * attribs regex matches.
+ *
+ * @param array $set
+ * @throws MWException When tag conditions are not met.
+ * @return string
+ */
+ private static function getTagAttributeCallback( $set ) {
+ if ( isset( $set[5] ) ) {
+ # No quotes.
+ return $set[5];
+ } elseif ( isset( $set[4] ) ) {
+ # Single-quoted
+ return $set[4];
+ } elseif ( isset( $set[3] ) ) {
+ # Double-quoted
+ return $set[3];
+ } elseif ( !isset( $set[2] ) ) {
+ # In XHTML, attributes must have a value so return an empty string.
+ # See "Empty attribute syntax",
+ # https://www.w3.org/TR/html5/syntax.html#syntax-attribute-name
+ return "";
+ } else {
+ throw new MWException( "Tag conditions not met. This should never happen and is a bug." );
+ }
+ }
+
+ /**
+ * @param string $text
+ * @return string
+ */
+ private static function normalizeWhitespace( $text ) {
+ return preg_replace(
+ '/\r\n|[\x20\x0d\x0a\x09]/',
+ ' ',
+ $text );
+ }
+
+ /**
+ * Normalizes whitespace in a section name, such as might be returned
+ * by Parser::stripSectionName(), for use in the id's that are used for
+ * section links.
+ *
+ * @param string $section
+ * @return string
+ */
+ static function normalizeSectionNameWhitespace( $section ) {
+ return trim( preg_replace( '/[ _]+/', ' ', $section ) );
+ }
+
+ /**
+ * Ensure that any entities and character references are legal
+ * for XML and XHTML specifically. Any stray bits will be
+ * &-escaped to result in a valid text fragment.
+ *
+ * a. named char refs can only be < > & ", others are
+ * numericized (this way we're well-formed even without a DTD)
+ * b. any numeric char refs must be legal chars, not invalid or forbidden
+ * c. use lower cased "&#x", not "&#X"
+ * d. fix or reject non-valid attributes
+ *
+ * @param string $text
+ * @return string
+ * @private
+ */
+ static function normalizeCharReferences( $text ) {
+ return preg_replace_callback(
+ self::CHAR_REFS_REGEX,
+ [ 'Sanitizer', 'normalizeCharReferencesCallback' ],
+ $text );
+ }
+
+ /**
+ * @param string $matches
+ * @return string
+ */
+ static function normalizeCharReferencesCallback( $matches ) {
+ $ret = null;
+ if ( $matches[1] != '' ) {
+ $ret = self::normalizeEntity( $matches[1] );
+ } elseif ( $matches[2] != '' ) {
+ $ret = self::decCharReference( $matches[2] );
+ } elseif ( $matches[3] != '' ) {
+ $ret = self::hexCharReference( $matches[3] );
+ }
+ if ( is_null( $ret ) ) {
+ return htmlspecialchars( $matches[0] );
+ } else {
+ return $ret;
+ }
+ }
+
+ /**
+ * If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD,
+ * return the equivalent numeric entity reference (except for the core <
+ * > & "). If the entity is a MediaWiki-specific alias, returns
+ * the HTML equivalent. Otherwise, returns HTML-escaped text of
+ * pseudo-entity source (eg &foo;)
+ *
+ * @param string $name
+ * @return string
+ */
+ static function normalizeEntity( $name ) {
+ if ( isset( self::$htmlEntityAliases[$name] ) ) {
+ return '&' . self::$htmlEntityAliases[$name] . ';';
+ } elseif ( in_array( $name, [ 'lt', 'gt', 'amp', 'quot' ] ) ) {
+ return "&$name;";
+ } elseif ( isset( self::$htmlEntities[$name] ) ) {
+ return '&#' . self::$htmlEntities[$name] . ';';
+ } else {
+ return "&$name;";
+ }
+ }
+
+ /**
+ * @param int $codepoint
+ * @return null|string
+ */
+ static function decCharReference( $codepoint ) {
+ $point = intval( $codepoint );
+ if ( self::validateCodepoint( $point ) ) {
+ return sprintf( '&#%d;', $point );
+ } else {
+ return null;
+ }
+ }
+
+ /**
+ * @param int $codepoint
+ * @return null|string
+ */
+ static function hexCharReference( $codepoint ) {
+ $point = hexdec( $codepoint );
+ if ( self::validateCodepoint( $point ) ) {
+ return sprintf( '&#x%x;', $point );
+ } else {
+ return null;
+ }
+ }
+
+ /**
+ * Returns true if a given Unicode codepoint is a valid character in
+ * both HTML5 and XML.
+ * @param int $codepoint
+ * @return bool
+ */
+ private static function validateCodepoint( $codepoint ) {
+ # U+000C is valid in HTML5 but not allowed in XML.
+ # U+000D is valid in XML but not allowed in HTML5.
+ # U+007F - U+009F are disallowed in HTML5 (control characters).
+ return $codepoint == 0x09
+ || $codepoint == 0x0a
+ || ( $codepoint >= 0x20 && $codepoint <= 0x7e )
+ || ( $codepoint >= 0xa0 && $codepoint <= 0xd7ff )
+ || ( $codepoint >= 0xe000 && $codepoint <= 0xfffd )
+ || ( $codepoint >= 0x10000 && $codepoint <= 0x10ffff );
+ }
+
+ /**
+ * Decode any character references, numeric or named entities,
+ * in the text and return a UTF-8 string.
+ *
+ * @param string $text
+ * @return string
+ */
+ public static function decodeCharReferences( $text ) {
+ return preg_replace_callback(
+ self::CHAR_REFS_REGEX,
+ [ 'Sanitizer', 'decodeCharReferencesCallback' ],
+ $text );
+ }
+
+ /**
+ * Decode any character references, numeric or named entities,
+ * in the next and normalize the resulting string. (T16952)
+ *
+ * This is useful for page titles, not for text to be displayed,
+ * MediaWiki allows HTML entities to escape normalization as a feature.
+ *
+ * @param string $text Already normalized, containing entities
+ * @return string Still normalized, without entities
+ */
+ public static function decodeCharReferencesAndNormalize( $text ) {
+ global $wgContLang;
+ $text = preg_replace_callback(
+ self::CHAR_REFS_REGEX,
+ [ 'Sanitizer', 'decodeCharReferencesCallback' ],
+ $text,
+ -1, //limit
+ $count
+ );
+
+ if ( $count ) {
+ return $wgContLang->normalize( $text );
+ } else {
+ return $text;
+ }
+ }
+
+ /**
+ * @param string $matches
+ * @return string
+ */
+ static function decodeCharReferencesCallback( $matches ) {
+ if ( $matches[1] != '' ) {
+ return self::decodeEntity( $matches[1] );
+ } elseif ( $matches[2] != '' ) {
+ return self::decodeChar( intval( $matches[2] ) );
+ } elseif ( $matches[3] != '' ) {
+ return self::decodeChar( hexdec( $matches[3] ) );
+ }
+ # Last case should be an ampersand by itself
+ return $matches[0];
+ }
+
+ /**
+ * Return UTF-8 string for a codepoint if that is a valid
+ * character reference, otherwise U+FFFD REPLACEMENT CHARACTER.
+ * @param int $codepoint
+ * @return string
+ * @private
+ */
+ static function decodeChar( $codepoint ) {
+ if ( self::validateCodepoint( $codepoint ) ) {
+ return UtfNormal\Utils::codepointToUtf8( $codepoint );
+ } else {
+ return UtfNormal\Constants::UTF8_REPLACEMENT;
+ }
+ }
+
+ /**
+ * If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD,
+ * return the UTF-8 encoding of that character. Otherwise, returns
+ * pseudo-entity source (eg "&foo;")
+ *
+ * @param string $name
+ * @return string
+ */
+ static function decodeEntity( $name ) {
+ if ( isset( self::$htmlEntityAliases[$name] ) ) {
+ $name = self::$htmlEntityAliases[$name];
+ }
+ if ( isset( self::$htmlEntities[$name] ) ) {
+ return UtfNormal\Utils::codepointToUtf8( self::$htmlEntities[$name] );
+ } else {
+ return "&$name;";
+ }
+ }
+
+ /**
+ * Fetch the whitelist of acceptable attributes for a given element name.
+ *
+ * @param string $element
+ * @return array
+ */
+ static function attributeWhitelist( $element ) {
+ $list = self::setupAttributeWhitelist();
+ return isset( $list[$element] )
+ ? $list[$element]
+ : [];
+ }
+
+ /**
+ * Foreach array key (an allowed HTML element), return an array
+ * of allowed attributes
+ * @return array
+ */
+ static function setupAttributeWhitelist() {
+ static $whitelist;
+
+ if ( $whitelist !== null ) {
+ return $whitelist;
+ }
+
+ $common = [
+ # HTML
+ 'id',
+ 'class',
+ 'style',
+ 'lang',
+ 'dir',
+ 'title',
+
+ # WAI-ARIA
+ 'aria-describedby',
+ 'aria-flowto',
+ 'aria-label',
+ 'aria-labelledby',
+ 'aria-owns',
+ 'role',
+
+ # RDFa
+ # These attributes are specified in section 9 of
+ # https://www.w3.org/TR/2008/REC-rdfa-syntax-20081014
+ 'about',
+ 'property',
+ 'resource',
+ 'datatype',
+ 'typeof',
+
+ # Microdata. These are specified by
+ # https://html.spec.whatwg.org/multipage/microdata.html#the-microdata-model
+ 'itemid',
+ 'itemprop',
+ 'itemref',
+ 'itemscope',
+ 'itemtype',
+ ];
+
+ $block = array_merge( $common, [ 'align' ] );
+ $tablealign = [ 'align', 'valign' ];
+ $tablecell = [
+ 'abbr',
+ 'axis',
+ 'headers',
+ 'scope',
+ 'rowspan',
+ 'colspan',
+ 'nowrap', # deprecated
+ 'width', # deprecated
+ 'height', # deprecated
+ 'bgcolor', # deprecated
+ ];
+
+ # Numbers refer to sections in HTML 4.01 standard describing the element.
+ # See: https://www.w3.org/TR/html4/
+ $whitelist = [
+ # 7.5.4
+ 'div' => $block,
+ 'center' => $common, # deprecated
+ 'span' => $common,
+
+ # 7.5.5
+ 'h1' => $block,
+ 'h2' => $block,
+ 'h3' => $block,
+ 'h4' => $block,
+ 'h5' => $block,
+ 'h6' => $block,
+
+ # 7.5.6
+ # address
+
+ # 8.2.4
+ 'bdo' => $common,
+
+ # 9.2.1
+ 'em' => $common,
+ 'strong' => $common,
+ 'cite' => $common,
+ 'dfn' => $common,
+ 'code' => $common,
+ 'samp' => $common,
+ 'kbd' => $common,
+ 'var' => $common,
+ 'abbr' => $common,
+ # acronym
+
+ # 9.2.2
+ 'blockquote' => array_merge( $common, [ 'cite' ] ),
+ 'q' => array_merge( $common, [ 'cite' ] ),
+
+ # 9.2.3
+ 'sub' => $common,
+ 'sup' => $common,
+
+ # 9.3.1
+ 'p' => $block,
+
+ # 9.3.2
+ 'br' => array_merge( $common, [ 'clear' ] ),
+
+ # https://www.w3.org/TR/html5/text-level-semantics.html#the-wbr-element
+ 'wbr' => $common,
+
+ # 9.3.4
+ 'pre' => array_merge( $common, [ 'width' ] ),
+
+ # 9.4
+ 'ins' => array_merge( $common, [ 'cite', 'datetime' ] ),
+ 'del' => array_merge( $common, [ 'cite', 'datetime' ] ),
+
+ # 10.2
+ 'ul' => array_merge( $common, [ 'type' ] ),
+ 'ol' => array_merge( $common, [ 'type', 'start', 'reversed' ] ),
+ 'li' => array_merge( $common, [ 'type', 'value' ] ),
+
+ # 10.3
+ 'dl' => $common,
+ 'dd' => $common,
+ 'dt' => $common,
+
+ # 11.2.1
+ 'table' => array_merge( $common,
+ [ 'summary', 'width', 'border', 'frame',
+ 'rules', 'cellspacing', 'cellpadding',
+ 'align', 'bgcolor',
+ ] ),
+
+ # 11.2.2
+ 'caption' => $block,
+
+ # 11.2.3
+ 'thead' => $common,
+ 'tfoot' => $common,
+ 'tbody' => $common,
+
+ # 11.2.4
+ 'colgroup' => array_merge( $common, [ 'span' ] ),
+ 'col' => array_merge( $common, [ 'span' ] ),
+
+ # 11.2.5
+ 'tr' => array_merge( $common, [ 'bgcolor' ], $tablealign ),
+
+ # 11.2.6
+ 'td' => array_merge( $common, $tablecell, $tablealign ),
+ 'th' => array_merge( $common, $tablecell, $tablealign ),
+
+ # 12.2
+ # NOTE: <a> is not allowed directly, but the attrib
+ # whitelist is used from the Parser object
+ 'a' => array_merge( $common, [ 'href', 'rel', 'rev' ] ), # rel/rev esp. for RDFa
+
+ # 13.2
+ # Not usually allowed, but may be used for extension-style hooks
+ # such as <math> when it is rasterized, or if $wgAllowImageTag is
+ # true
+ 'img' => array_merge( $common, [ 'alt', 'src', 'width', 'height', 'srcset' ] ),
+
+ 'video' => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ),
+ 'source' => array_merge( $common, [ 'type', 'src' ] ),
+ 'track' => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ),
+
+ # 15.2.1
+ 'tt' => $common,
+ 'b' => $common,
+ 'i' => $common,
+ 'big' => $common,
+ 'small' => $common,
+ 'strike' => $common,
+ 's' => $common,
+ 'u' => $common,
+
+ # 15.2.2
+ 'font' => array_merge( $common, [ 'size', 'color', 'face' ] ),
+ # basefont
+
+ # 15.3
+ 'hr' => array_merge( $common, [ 'width' ] ),
+
+ # HTML Ruby annotation text module, simple ruby only.
+ # https://www.w3.org/TR/html5/text-level-semantics.html#the-ruby-element
+ 'ruby' => $common,
+ # rbc
+ 'rb' => $common,
+ 'rp' => $common,
+ 'rt' => $common, # array_merge( $common, array( 'rbspan' ) ),
+ 'rtc' => $common,
+
+ # MathML root element, where used for extensions
+ # 'title' may not be 100% valid here; it's XHTML
+ # https://www.w3.org/TR/REC-MathML/
+ 'math' => [ 'class', 'style', 'id', 'title' ],
+
+ // HTML 5 section 4.5
+ 'figure' => $common,
+ 'figcaption' => $common,
+
+ # HTML 5 section 4.6
+ 'bdi' => $common,
+
+ # HTML5 elements, defined by:
+ # https://html.spec.whatwg.org/multipage/semantics.html#the-data-element
+ 'data' => array_merge( $common, [ 'value' ] ),
+ 'time' => array_merge( $common, [ 'datetime' ] ),
+ 'mark' => $common,
+
+ // meta and link are only permitted by removeHTMLtags when Microdata
+ // is enabled so we don't bother adding a conditional to hide these
+ // Also meta and link are only valid in WikiText as Microdata elements
+ // (ie: validateTag rejects tags missing the attributes needed for Microdata)
+ // So we don't bother including $common attributes that have no purpose.
+ 'meta' => [ 'itemprop', 'content' ],
+ 'link' => [ 'itemprop', 'href', 'title' ],
+ ];
+
+ return $whitelist;
+ }
+
+ /**
+ * Take a fragment of (potentially invalid) HTML and return
+ * a version with any tags removed, encoded as plain text.
+ *
+ * Warning: this return value must be further escaped for literal
+ * inclusion in HTML output as of 1.10!
+ *
+ * @param string $text HTML fragment
+ * @return string
+ */
+ static function stripAllTags( $text ) {
+ # Actual <tags>
+ $text = StringUtils::delimiterReplace( '<', '>', '', $text );
+
+ # Normalize &entities and whitespace
+ $text = self::decodeCharReferences( $text );
+ $text = self::normalizeWhitespace( $text );
+
+ return $text;
+ }
+
+ /**
+ * Hack up a private DOCTYPE with HTML's standard entity declarations.
+ * PHP 4 seemed to know these if you gave it an HTML doctype, but
+ * PHP 5.1 doesn't.
+ *
+ * Use for passing XHTML fragments to PHP's XML parsing functions
+ *
+ * @return string
+ */
+ static function hackDocType() {
+ $out = "<!DOCTYPE html [\n";
+ foreach ( self::$htmlEntities as $entity => $codepoint ) {
+ $out .= "<!ENTITY $entity \"&#$codepoint;\">";
+ }
+ $out .= "]>\n";
+ return $out;
+ }
+
+ /**
+ * @param string $url
+ * @return mixed|string
+ */
+ static function cleanUrl( $url ) {
+ # Normalize any HTML entities in input. They will be
+ # re-escaped by makeExternalLink().
+ $url = self::decodeCharReferences( $url );
+
+ # Escape any control characters introduced by the above step
+ $url = preg_replace_callback( '/[\][<>"\\x00-\\x20\\x7F\|]/',
+ [ __CLASS__, 'cleanUrlCallback' ], $url );
+
+ # Validate hostname portion
+ $matches = [];
+ if ( preg_match( '!^([^:]+:)(//[^/]+)?(.*)$!iD', $url, $matches ) ) {
+ list( /* $whole */, $protocol, $host, $rest ) = $matches;
+
+ // Characters that will be ignored in IDNs.
+ // https://tools.ietf.org/html/rfc3454#section-3.1
+ // Strip them before further processing so blacklists and such work.
+ $strip = "/
+ \\s| # general whitespace
+ \xc2\xad| # 00ad SOFT HYPHEN
+ \xe1\xa0\x86| # 1806 MONGOLIAN TODO SOFT HYPHEN
+ \xe2\x80\x8b| # 200b ZERO WIDTH SPACE
+ \xe2\x81\xa0| # 2060 WORD JOINER
+ \xef\xbb\xbf| # feff ZERO WIDTH NO-BREAK SPACE
+ \xcd\x8f| # 034f COMBINING GRAPHEME JOINER
+ \xe1\xa0\x8b| # 180b MONGOLIAN FREE VARIATION SELECTOR ONE
+ \xe1\xa0\x8c| # 180c MONGOLIAN FREE VARIATION SELECTOR TWO
+ \xe1\xa0\x8d| # 180d MONGOLIAN FREE VARIATION SELECTOR THREE
+ \xe2\x80\x8c| # 200c ZERO WIDTH NON-JOINER
+ \xe2\x80\x8d| # 200d ZERO WIDTH JOINER
+ [\xef\xb8\x80-\xef\xb8\x8f] # fe00-fe0f VARIATION SELECTOR-1-16
+ /xuD";
+
+ $host = preg_replace( $strip, '', $host );
+
+ // IPv6 host names are bracketed with []. Url-decode these.
+ if ( substr_compare( "//%5B", $host, 0, 5 ) === 0 &&
+ preg_match( '!^//%5B([0-9A-Fa-f:.]+)%5D((:\d+)?)$!', $host, $matches )
+ ) {
+ $host = '//[' . $matches[1] . ']' . $matches[2];
+ }
+
+ // @todo FIXME: Validate hostnames here
+
+ return $protocol . $host . $rest;
+ } else {
+ return $url;
+ }
+ }
+
+ /**
+ * @param array $matches
+ * @return string
+ */
+ static function cleanUrlCallback( $matches ) {
+ return urlencode( $matches[0] );
+ }
+
+ /**
+ * Does a string look like an e-mail address?
+ *
+ * This validates an email address using an HTML5 specification found at:
+ * http://www.whatwg.org/html/states-of-the-type-attribute.html#valid-e-mail-address
+ * Which as of 2011-01-24 says:
+ *
+ * A valid e-mail address is a string that matches the ABNF production
+ * 1*( atext / "." ) "@" ldh-str *( "." ldh-str ) where atext is defined
+ * in RFC 5322 section 3.2.3, and ldh-str is defined in RFC 1034 section
+ * 3.5.
+ *
+ * This function is an implementation of the specification as requested in
+ * T24449.
+ *
+ * Client-side forms will use the same standard validation rules via JS or
+ * HTML 5 validation; additional restrictions can be enforced server-side
+ * by extensions via the 'isValidEmailAddr' hook.
+ *
+ * Note that this validation doesn't 100% match RFC 2822, but is believed
+ * to be liberal enough for wide use. Some invalid addresses will still
+ * pass validation here.
+ *
+ * @since 1.18
+ *
+ * @param string $addr E-mail address
+ * @return bool
+ */
+ public static function validateEmail( $addr ) {
+ $result = null;
+ if ( !Hooks::run( 'isValidEmailAddr', [ $addr, &$result ] ) ) {
+ return $result;
+ }
+
+ // Please note strings below are enclosed in brackets [], this make the
+ // hyphen "-" a range indicator. Hence it is double backslashed below.
+ // See T28948
+ $rfc5322_atext = "a-z0-9!#$%&'*+\\-\/=?^_`{|}~";
+ $rfc1034_ldh_str = "a-z0-9\\-";
+
+ $html5_email_regexp = "/
+ ^ # start of string
+ [$rfc5322_atext\\.]+ # user part which is liberal :p
+ @ # 'apostrophe'
+ [$rfc1034_ldh_str]+ # First domain part
+ (\\.[$rfc1034_ldh_str]+)* # Following part prefixed with a dot
+ $ # End of string
+ /ix"; // case Insensitive, eXtended
+
+ return (bool)preg_match( $html5_email_regexp, $addr );
+ }
+}
* @return Status On success, the good status's value is the new Session object
*/
public static function login( $username, $password, WebRequest $request ) {
- global $wgEnableBotPasswords;
+ global $wgEnableBotPasswords, $wgPasswordAttemptThrottle;
if ( !$wgEnableBotPasswords ) {
return Status::newFatal( 'botpasswords-disabled' );
return Status::newFatal( 'nosuchuser', $name );
}
+ // Throttle
+ $throttle = null;
+ if ( !empty( $wgPasswordAttemptThrottle ) ) {
+ $throttle = new MediaWiki\Auth\Throttler( $wgPasswordAttemptThrottle, [
+ 'type' => 'botpassword',
+ 'cache' => ObjectCache::getLocalClusterInstance(),
+ ] );
+ $result = $throttle->increase( $user->getName(), $request->getIP(), __METHOD__ );
+ if ( $result ) {
+ $msg = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
+ return Status::newFatal( $msg );
+ }
+ }
+
// Get the bot password
$bp = self::newFromUser( $user, $appId );
if ( !$bp ) {
}
// Ok! Create the session.
+ if ( $throttle ) {
+ $throttle->clear( $user->getName(), $request->getIP() );
+ }
return Status::newGood( $provider->newSessionForRequest( $user, $bp, $request ) );
}
}
*/
use MediaWiki\MediaWikiServices;
+use MediaWiki\Logger\LoggerFactory;
+
/**
* Base class for language conversion.
* @ingroup Language
if ( $this->guessVariant( $text, $toVariant ) ) {
return $text;
}
-
/* we convert everything except:
- * 1. HTML markups (anything between < and >)
- * 2. HTML entities
- * 3. placeholders created by the parser
- */
- $marker = '|' . Parser::MARKER_PREFIX . '[\-a-zA-Z0-9]+';
+ 1. HTML markups (anything between < and >)
+ 2. HTML entities
+ 3. placeholders created by the parser
+ IMPORTANT: Beware of failure from pcre.backtrack_limit (T124404).
+ Minimize use of backtracking where possible.
+ */
+ $marker = '|' . Parser::MARKER_PREFIX . '[^\x7f]++\x7f';
// this one is needed when the text is inside an HTML markup
- $htmlfix = '|<[^>]+$|^[^<>]*>';
+ $htmlfix = '|<[^>\004]++(?=\004$)|^[^<>]*+>';
+
+ // Optimize for the common case where these tags have
+ // few or no children. Thus try and possesively get as much as
+ // possible, and only engage in backtracking when we hit a '<'.
// disable convert to variants between <code> tags
- $codefix = '<code>.+?<\/code>|';
+ $codefix = '<code>[^<]*+(?:(?:(?!<\/code>).)[^<]*+)*+<\/code>|';
// disable conversion of <script> tags
- $scriptfix = '<script.*?>.*?<\/script>|';
+ $scriptfix = '<script[^>]*+>[^<]*+(?:(?:(?!<\/script>).)[^<]*+)*+<\/script>|';
// disable conversion of <pre> tags
- $prefix = '<pre.*?>.*?<\/pre>|';
+ $prefix = '<pre[^>]*+>[^<]*+(?:(?:(?!<\/pre>).)[^<]*+)*+<\/pre>|';
+ // The "|.*+)" at the end, is in case we missed some part of html syntax,
+ // we will fail securely (hopefully) by matching the rest of the string.
+ $htmlFullTag = '<(?:[^>=]*+(?>[^>=]*+=\s*+(?:"[^"]*"|\'[^\']*\'|[^\'">\s]*+))*+[^>=]*+>|.*+)|';
- $reg = '/' . $codefix . $scriptfix . $prefix .
- '<[^>]+>|&[a-zA-Z#][a-z0-9]+;' . $marker . $htmlfix . '/s';
+ $reg = '/' . $codefix . $scriptfix . $prefix . $htmlFullTag .
+ '&[a-zA-Z#][a-z0-9]++;' . $marker . $htmlfix . '|\004$/s';
$startPos = 0;
$sourceBlob = '';
$literalBlob = '';
// Guard against delimiter nulls in the input
// (should never happen: see T159174)
$text = str_replace( "\000", '', $text );
+ $text = str_replace( "\004", '', $text );
$markupMatches = null;
$elementMatches = null;
+
+ // We add a marker (\004) at the end of text, to ensure we always match the
+ // entire text (Otherwise, pcre.backtrack_limit might cause silent failure)
while ( $startPos < strlen( $text ) ) {
- if ( preg_match( $reg, $text, $markupMatches, PREG_OFFSET_CAPTURE, $startPos ) ) {
+ if ( preg_match( $reg, $text . "\004", $markupMatches, PREG_OFFSET_CAPTURE, $startPos ) ) {
$elementPos = $markupMatches[0][1];
$element = $markupMatches[0][0];
+ if ( $element === "\004" ) {
+ // We hit the end.
+ $elementPos = strlen( $text );
+ $element = '';
+ } elseif ( substr( $element, -1 ) === "\004" ) {
+ // This can sometimes happen if we have
+ // unclosed html tags (For example
+ // when converting a title attribute
+ // during a recursive call that contains
+ // a < e.g. <div title="<">.
+ $element = substr( $element, 0, -1 );
+ }
} else {
- $elementPos = strlen( $text );
- $element = '';
+ // If we hit here, then Language Converter could be tricked
+ // into doing an XSS, so we refuse to translate.
+ // If non-crazy input manages to reach this code path,
+ // we should consider it a bug.
+ $log = LoggerFactory::getInstance( 'languageconverter' );
+ $log->error( "Hit pcre.backtrack_limit in " . __METHOD__
+ . ". Disabling language conversion for this page.",
+ [
+ "method" => __METHOD__,
+ "variant" => $toVariant,
+ "startOfText" => substr( $text, 0, 500 )
+ ]
+ );
+ return $text;
}
-
// Queue the part before the markup for translation in a batch
$sourceBlob .= substr( $text, $startPos, $elementPos - $startPos ) . "\000";
// Translate any alt or title attributes inside the matched element
if ( $element !== ''
- && preg_match( '/^(<[^>\s]*)\s([^>]*)(.*)$/', $element, $elementMatches )
+ && preg_match( '/^(<[^>\s]*+)\s([^>]*+)(.*+)$/', $element, $elementMatches )
) {
+ // FIXME, this decodes entities, so if you have something
+ // like <div title="foo<bar"> the bar won't get
+ // translated since after entity decoding it looks like
+ // unclosed html and we call this method recursively
+ // on attributes.
$attrs = Sanitizer::decodeTagAttributes( $elementMatches[2] );
+ // Ensure self-closing tags stay self-closing.
+ $close = substr( $elementMatches[2], -1 ) === '/' ? ' /' : '';
$changed = false;
foreach ( [ 'title', 'alt' ] as $attrName ) {
if ( !isset( $attrs[$attrName] ) ) {
}
if ( $changed ) {
$element = $elementMatches[1] . Html::expandAttributes( $attrs ) .
- $elementMatches[3];
+ $close . $elementMatches[3];
}
}
$literalBlob .= $element . "\000";
$out = '';
$length = strlen( $text );
$shouldConvert = !$this->guessVariant( $text, $variant );
-
- while ( $startPos < $length ) {
- $pos = strpos( $text, '-{', $startPos );
-
- if ( $pos === false ) {
+ $continue = 1;
+
+ $noScript = '<script.*?>.*?<\/script>(*SKIP)(*FAIL)';
+ $noStyle = '<style.*?>.*?<\/style>(*SKIP)(*FAIL)';
+ // @codingStandardsIgnoreStart Generic.Files.LineLength.TooLong
+ $noHtml = '<(?:[^>=]*+(?>[^>=]*+=\s*+(?:"[^"]*"|\'[^\']*\'|[^\'">\s]*+))*+[^>=]*+>|.*+)(*SKIP)(*FAIL)';
+ // @codingStandardsIgnoreEnd
+ while ( $startPos < $length && $continue ) {
+ $continue = preg_match(
+ // Only match -{ outside of html.
+ "/$noScript|$noStyle|$noHtml|-\{/",
+ $text,
+ $m,
+ PREG_OFFSET_CAPTURE,
+ $startPos
+ );
+
+ if ( !$continue ) {
// No more markup, append final segment
$fragment = substr( $text, $startPos );
$out .= $shouldConvert ? $this->autoConvert( $fragment, $variant ) : $fragment;
return $out;
}
- // Markup found
+ // Offset of the match of the regex pattern.
+ $pos = $m[0][1];
+
// Append initial segment
$fragment = substr( $text, $startPos, $pos - $startPos );
$out .= $shouldConvert ? $this->autoConvert( $fragment, $variant ) : $fragment;
-
- // Advance position
+ // -{ marker found, not in attribute
+ // Advance position up to -{ marker.
$startPos = $pos;
-
// Do recursive conversion
+ // Note: This passes $startPos by reference, and advances it.
$out .= $this->recursiveConvertRule( $text, $variant, $startPos, $depth + 1 );
}
-
return $out;
}
"title-invalid-interwiki": "milungucay a kasabelih satangahan yamalyilu la’cus pisaungay i satangahan a milakuid Wiki masasiket.",
"title-invalid-talk-namespace": "milungucay a kasabelih satangahan nimicaliw hakay inayi’ay a sasukamu belih",
"title-invalid-characters": "milungucay a kasabelih satangahan yamalyilu la’cusay a tatebanan-nisulitan: \"$1\".",
+ "title-invalid-relative": "ilabu’ nu pyawti izaw ku malecaday pazazan. malecaday pazazanay kasabelih satangahan (./, ../) uzuma la’cus, misaungayay saazih la’cus misuped-miala malecad pazazan.",
"title-invalid-magic-tilde": "milunguc tu kasabelih satangahan izaw ku la’cusay a kaliwaza masalaing bacu (<nowiki>~~~</nowiki>)",
"title-invalid-too-long": "namilungucay a kasabelih satangahan mangasiw, satangahan pisaungay UTF-8 sakababalic a bang gu amana mangasiw $1 {{PLURAL:$1|wyiyincu}}.",
"title-invalid-leading-colon": "milungucay a kasabelih satangahan yamalyilu la’cusay a mahaw-bacu i lalingatuan.",
"viewsource": "ciwsace yuensma-kodo",
"viewsource-title": "ciwsace $1 a sakatizeng banggu",
"actionthrottled": "makelec saungay tuway",
+ "actionthrottledtext": "kisu i apuyu’ay lawad mileku misaungay kinapinapina, matabesiw ku sisetyimo a tatukian, matalaw a patahtah sa, a kelecen ku nu misu pisaungay.\npihalhalen pinapina ku lawad mitanam aca.",
"protectedpagetext": "tina kasabelih masetin midiput mitena’ mikawaway-kalumyiti saca zuma saungay tuway.",
"viewsourcetext": "kapah kisu miciwsace atu mikopi tina kasabelih a sakatizeng banggu.",
"viewyourtext": "kapah kisu miciwsace atu kopi ilabu’ tina kasabelih <strong> kisu mikawaway-kalumyiti </strong> yuensma-kodo.",
"myprivateinfoprotected": "inayi’ tungus kisu mikawaway-kalumyiti cesyun nu misu.",
"mypreferencesprotected": "inayi’ tungus kisu mikawaway-kalumyiti setin tu kanamuhan nu misu.",
"ns-specialprotected": "sazumaay a kasabelih la’cusay mikawaway-kalumyiti.",
+ "titleprotected": "tina pyawti mapa [[User:$1|$1]] tu midiput a mitena’ patizeng, mahicaay u <em>$2</em>.",
+ "filereadonlyerror": "la’cus misumad tangan \"$1\" zayhan tangan sulu \"$2\" ayza itiza i asip-dada’ muse.\n\npamutek a sisetyimo mikuwanay buhci tu kamu:\"$3\".",
"invalidtitle-knownnamespace": "pangangananay a salaedan \"$2\" atu kalungangan \"$3\" u la’cusay a satangahan",
"invalidtitle-unknownnamespace": "caay kapulita pangangananay a salaedan bacu $1 atu kalungangan \"$2\" ku la’cusay a satangahan",
"exception-nologin": "caay henay patalabu",
"createaccount": "panganganen ku canghaw",
"userlogin-resetpassword-link": "maliyuh ku mima kisu haw?",
"userlogin-helplink2": "patalabu miedap",
+ "userlogin-loggedin": "mapatalabu tu kisu ayza {{GENDER:$1|$1}} misaungayay,\nkapisaungay tu cudad isasa’ aazihan cudad mibalic patalabu tu zumaay misaungayay.",
"userlogin-reauth": "kanca kisu patalabu aca amisawantanen kisu ku {{GENDER:$1|$1}}.",
"userlogin-createanother": "patizeng tu zumaay canghaw",
"createacct-emailrequired": "imyiyo(email) puenengan",
"userexists": "nasulitan nu misu a misaungayay a kalungangan izaw tu, pipili’ zuma a kalungangan",
"loginerror": "patalabu mungangaw",
"createacct-error": "canghaw patizeng mungangaw",
+ "createacct-loginerror": "malahci tu ku pangangan tu canghaw, uyzasa la’cus lunuk sa patalabu.\nkapipalalid [[Special:UserLogin|kaulima ku misaungyay patalabu]].",
"noname": "namasuilit numisuay a misaungayay a kalungangan la’cus.",
"loginsuccesstitle": "patalabutu",
"nouserspecified": "kanca matuzu’ay cacay misaungayay a kalungangan kisu.",
"noemailcreate": "maydih kisu nipabeli cacay kapahay a imyiyo(email) puenengan.",
"passwordsent": "misaungayay \"$1\" a baluhay mima mapatahkal tu i saayaway a imyiyo(email) puenengan, kapihalhal henay maala tu tigami miliyaw patalabu aca",
"blocked-mailpassword": "numisu a IP puenengan malangat tu caay kahasa mikawaway-kalumyiti, satezep tu namakay tini IP puenengan a mima panukasan sasahicaan a mitena’ patahtah.",
+ "eauthentsent": "patigami tuway ku malucekay a tigami ta kisu misetinay a imyiyo(email) puenengan.\nanu caayhen milayap zuma a imyiyo(email), kanca kisu mikilul tigami a micuzu’ay tu kawaw, pilucek tina canghaw tatenga’ u numisuay.",
"mailerror": "pabahel imyiyo(email) mungangaw: $1",
"emailauthenticated": "imyiyo(email) puenengan nu misu malucek tu i $2 $3.",
"emailnotauthenticated": "imyiyo(email) puenengan mu misu caay henay malucek, cayhenay patigami kisu isasa’ay a sasahicaan a imyiyo(email).",
"continue-editing": "taayaw mikawaway-kalumyiti nikatatapal",
"previewconflict": "tina pataayaway miazih paazih kisu ipabaway a sulit mikawaway-kalumyiti nikatatapal a lacul masuped tuway amapaazihay aheci.",
"session_fail_preview": "<strong>ahicanaca! u nanu tina patalabu a tuki matahkal kalunasulitan mahedaw, la’cus kami lisimet nasanga’ mikawaway-kalumyiti.</strong>\n\n<em> {{SITENAME}} mawawah tu saayaway HTML muse, sisa tina pataayaway miazih kya zunga caay paazih amiliyas JavaScript madebung.</em>\n\n<strong>anu maydih kisu tatenga’ taneng misanga’ tina mikawaway-kalumyiti, pitaneng aca.</strong>\namahica caay malahci henay, nazikuz tu [[Special:UserLogout|katahkal]] piliyaw miteka patalabu, zumasatu pilucek saazihay-sakaluk setin ku \"mahasa tina calay-subal(wangyi) a cookie\".",
+ "edit_form_incomplete": "<strong>u liyad mikawaway-kalumyiti a lacul caay henay ta sefu-kikay, kapikinsa tu nu misu mikawaway-kalumyiti lacul caay hen kaleku atu pitaneng henay. </strong>",
"editing": "mikawaway tu kalumyiti $1 ayza",
"creating": "patizeng ayza $1",
"editingsection": "mikawaway tu kalumyiti ayza $1 (tusil)",
"expensive-parserfunction-category": "pisaungay sayadah eluc sisetyimo katahkalan nu kalisiw a mapulita kasabelih",
"post-expand-template-inclusion-warning": "<strong>patalaw:</strong> nicaliwan taazihan mitudung zikuz tabaki adidi’ matabesiw ku pikelec. uzuma taazihan mitudung lacul a caay papisaungay.",
"post-expand-template-inclusion-category": "nicaliwan taazihan-mitudung mangasiw kelec nu kasabelih",
+ "post-expand-template-argument-warning": "<strong> patalaw:</strong> tina kasabelih izaw cacay pabaway taazihan mitudung aazihen-sulyang tadatanayu’.\ntadatanayu’ay aazihen-sulyang tansul sa masekipo.",
"post-expand-template-argument-category": "taazihan-mitudung aazihen-sulyang izaw layad masekipoay a kasabelih",
"parser-template-loop-warning": "masedap taazihan-mitudung musaliyut: [[$1]]",
"template-loop-category": "sitatutungay masaliyut a kasabelih",
"revdelete-nooldid-title": "la’cusay a pamutekan masumad nu ayaway",
"revdelete-nooldid-text": "inayi’ matuzu’ay kisu amahicahica tu amisaungay tina sasahicaan pamutekan masumad nu ayaway nu ayaway, saca matuzu’ay sumad inayi’ay, saca kisu mitanam midimut ayza a sumad",
"revdelete-no-file": "matuzu’ay a tangan inayi’ tu.",
+ "revdelete-show-file-confirm": "sakaydihan kisu miciwsace tu tangan \"<nowiki>$1</nowiki>\" masipuay tu masumad i $2 $3?",
"revdelete-show-file-submit": "hang",
"revdelete-selected-text": "mapili’ tuway [[:$2]] tebanay{{PLURAL:$1|cacayay|yadahay}} masumad nu ayaway",
"revdelete-selected-file": "mapili’ tu [[:$2]] labu’ay {{PLURAL:$1|cacay|yadahay}} tangan baziyong:",
"revdelete-modify-missing": "misumad kasacacay ID $1 mungangaw: kalunasulitan-sulu inayi’ kya kalunasulitan",
"revdelete-no-change": "<strong>patalaw:</strong> i $1 $2 a kasacacay malunguc tu pisumad paazihay a setin.",
"revdelete-concurrent-change": "misumad i $1 $2 kasacacay mungangaway: itisuwan mitanam misumad pataayaw tu setyitase, mapasumad tu.\npikinsa tu nasulitan nazipa’an.",
+ "revdelete-only-restricted": "a midimut i $1 $2 a kasacacay mala mungangaway: amana kisu kacaay henay pipili’ miazih tu setin kasiwantan a satezep mikuwanay miciwsace kasacacay.",
"revdelete-reason-dropdown": "* lalid maazihay a misipuay a mahicaay \n** midebung nisanga’an niza tu tungus a kawaw \n** caay matatungusay a buhci tu kamu saca tekeday a cesyun\n** caay matatungusay a misaungayay a kalungangan \n** midimut yamalyilu palawacu’ay a cesyun",
"revdelete-otherreason": "zumaay/nicunusay a mahicaay:",
"revdelete-reasonotherlist": "zuma a mahicaay",
"prefs-tokenwatchlist": "sabuhat",
"prefs-diffs": "sasizuma",
"prefs-help-prefershttps": "uyni setin tu kanamuhan amalahci tu anucila patalabu kisu.",
+ "prefswarning-warning": "kisu tu nu misu a setin tu kanamuhan mikawawan a misumad caay henay singa’.\nanu caay kisu pipecec \"$1\" miliyas tina kasabelih, a caay misabulah numisuay a setin tu kanamuhan.",
"prefs-tabs-navigation-hint": "pacekil:kapah kisu pisaungay pasawili, pasawanan a pecec miketun mibalic kasabelih-paya.",
"userrights": "tungus nu misaungayay",
"userrights-lookup-user": "mipili’ misaungayay",
"userrights-expiry-othertime": "zuma a tatukian:",
"userrights-invalid-expiry": "luyaluy \"$1\" a kakatekuhan la’cus tu.",
"userrights-expiry-in-past": "luyaluy \"$1\" a kakatekuhan mangliw tu.",
+ "userrights-cannot-shorten-expiry": "la’cus kisu maluayaw i luyaluy \"$1\" sakawaway i kakatekuhan. izaway dada’ micunusen atu misipu tina a luyaluy tungusay misaungayay kapah tu a maliayaw i kakatekuhan.",
"userrights-conflict": "misaungayay tungus misumad sasula’cus! piciwsace atu malucekay sumad nu misu",
"group": "luyaluy:",
"group-user": "misaungayay",
"right-unblockself": "mihulak tu ku langat nu maku",
"right-protect": "misumad midiput tindud atu mikawaway-kalumyiti mapatatusul midiputay a kasabelih",
"right-editprotected": "mikawaway-kalumyiti midiput tu kasalaylay ku \"{{int:protect-level-sysop}}\" a kasabelih.",
+ "right-editsemiprotected": "mikawaway-kalumyiti midiput kasalaylay u \"{{int:protect-level-autoconfirmed}}\" u kasabelih",
"right-editcontentmodel": "mikawaway-kalumyiti kasabelih a lacul tatudungen-misanga’",
"right-editinterface": "mikawaway-kalumyiti misaungayay taypuolayta",
"right-editusercss": "mikawaway-kalumyiti zuma misaungayay a CSS tangan",
"windows-nonascii-filename": "tina Wiki caay midama pisaungay sazumaay bacu a tangan kalungangan.",
"fileexists-no-change": "patapabaway a tangan atu ayza baziyong a <strong>[[:$1]]</strong> tada malecad.",
"file-exists-duplicate": "tina tangan masaliyaw isasa’ay a {{PLURAL:$1|cacay|yadah}} tangan",
+ "file-deleted-duplicate": "tadamalecad tina tangan a tangan ([[:$1]]) i nasawniay masipu tu.\nkanca kisu milucek kya tanganay a masipuay a nasulitan nazipa’an iayaw miliyaw patapabaw.",
"uploadwarning": "patapabaw patalaw",
"uploadwarning-text": "pisumad isasa’ay a tangan sapuelac atu mitanam aca.",
"savefile": "misuped tu tangan",
"upload-scripted-pi-callback": "la’cus patapabaw yamalyilu XML-stylesheet sapisadimel mituzu’ a tangan.",
"uploaded-script-svg": "i mapatapabaway a SVG tangan matepa kapah micengseay a kuku’-ulic aazihen-paya \"$1\".",
"uploaded-hostile-svg": "i mapatapabaway a SVG tangan yangse aazihen-paya matepa caay kaenapay a CSS.",
+ "uploaded-event-handler-on-svg": "caay kahasa i SVG tangan setin event-handler susin <code>$1=\"$2\"</code>",
"uploaded-setting-href-svg": "masatezep pisaungay \"set\" aazihen-paya amicunus \"href\" susin ta mama yinsu.",
"uploaded-image-filter-svg": "ilabu’ mapatapabaway a SVG tangan matepa zunga sebseb-sakaluk pisaungay URL:<code><$1 $2=\"$3\"></code>.",
"uploadinvalidxml": "la’cus mitingalaw matapabaway tangan a XML.",
"upload-options": "patapabaw mapiliay",
"watchthisupload": "miazih tina tangan",
"filewasdeleted": "nasawniay izaw tu ku malecaday kalungangan a tangan patapabaw, masiputu nazikuzan.\nkanca kisu a patapabaw tina tangan pataayaw mikinsa $1.",
+ "filename-thumb-name": "tina mahiza u cacay sukep tu zunga a satangahan. amana kapisukep tu zunga patapabaw patiku malecad u Wiki. anusa, kapisumad tu pyawti, sakaizaw nu imiatu caay kahalu u sukep tu zunga saayaway sulit.",
"upload-proto-error": "padinwaay a ketun caay katatenga’",
"upload-file-error": "ilabuay a mungangaw",
"upload-file-error-text": "mitanam i sefu-kikay patizeng singa’an tu sulit sa tahkal labuay mungangaw.\npimasukazih [[Special:ListUsers/sysop|mikuwanay]].",
"upload-dialog-button-upload": "patapabaw",
"upload-form-label-infoform-title": "pulitaay a kalunasulitan",
"upload-form-label-infoform-name": "kalungangan",
+ "upload-form-label-infoform-name-tooltip": "tukubic a sapuelac tu tangan pyawti, amalusapapangangan. kapah kisu pisaungay u nu misu a kamu atu nayi’ ku cacan malusapipangangan, amana kapiyamalyilu tangan mikilulay-tangan-ngangan.",
"upload-form-label-infoform-description": "sapuelac",
"upload-form-label-infoform-description-tooltip": "sapuyu’en ku kamu sapuelac tu nalimaan amahicahicaay tu matatungus pibuhci tu kamu i kalukawaw.\ntinaku i sasing, taneng mapatahkal ku sasakamuen i sasing, kalukawawatu kahicelaan.",
"upload-form-label-own-work": "uyni ku nalimaan nu maku",
"linkstoimage": "isasaay {{PLURAL:$1| kasabelih misiket |saka $1 a kasabelih misiket}}katukuh tina tangan:",
"linkstoimage-more": "mangasiw $1 {{PLURAL:$1|kasabelih masasiket}} ta tina tangan.\nisasa’ay piazihan-tu-sulit pasilsil iayaway a dada’ {{PLURAL:$1|1 masasiket|$1 masasiket}} ta tina tangan a kasabelih.\nkapah tu kisu miciwsace [[Special:WhatLinksHere/$2|leku piazihan-tu-sulit]].",
"nolinkstoimage": "nayi’ ku kasabelih masasiket katukuh tini a tangan.",
+ "morelinkstoimage": "miciwsace masasiket tayza tina a tangan i [[Special:WhatLinksHere/$1|sayadah masasiket]].",
"linkstoimage-redirect": "$1 (tangan miliyaw patatuzu’) $2",
"sharedupload": "tina tangan namakay $1 satu hakay masaungay nu zuma a cwanan.",
+ "sharedupload-desc-there": "tina tangan namakay $1 tu hakay masazuma tu ku cwanan tu pisaungay.\nkapiazih tu tatenga’ay [$2 tangan sapuelac kasabelih] matineng tatalaayaway tu cesyun.",
"sharedupload-desc-here": "kina tangan nay $1 hakay satu pisaungay tu zuma a cwanan.\nisasaay paazih kuyniay a tangan i [$2 tangan patahkal kasabelih] a patahkalay a lacul.",
+ "sharedupload-desc-edit": "tina tangan namakay $1 zumasatu hakay masazuma ku cwanan pisaungay.\nanu maydih kisu mikawaway-kalumyiti lacul misapuelac kapah tayza i [$2 tangan sapuelac kasabelih].",
+ "sharedupload-desc-create": "tina a tangan namakay $1 atu hakay masazuma ku cwanan pisaungay.\nanu maydih kisu mikawaway-kalumyiti lacul sapuelac kapah tayza i [$2 tangan sapuelac kasabelih].",
"filepage-nofile": "inayi’ kalungangan a tangan.",
"filepage-nofile-link": "inayi’ kalungangan a tangan, kapah tu kisu [$1 patapabaw].",
"uploadnewversion-linktext": "patudud tina tangan nu baluhay a baziyong",
"filerevert-identical": "ayzaay baziyong a tangan atu mipili’ay baziyong malecalecad.",
"filedelete": "misipu \"$1\"",
"filedelete-legend": "misipu tu tangan",
+ "filedelete-intro": "maydih kisu ayza misipu tangan <strong>[[Media:$1|$1]]</strong> atu zuma sacahamin nazipa’an baziyong",
"filedelete-intro-old": "imahini amisipu kisu <strong>[[Media:$1|$1]]</strong> i [$4 $2 $3] a baziyong.",
"filedelete-comment": "mahicaay:",
"filedelete-submit": "masipu",
"filedelete-success": "masipu tu <strong>$1</strong>.",
+ "filedelete-success-old": "masipu tuway <strong>[[Media:$1|$1]]</strong> i $2 $3 a baziyong.",
"filedelete-nofile": "<strong>$1</strong> inayi’.",
"filedelete-nofile-old": "inayi’ matepa <strong>$1</strong> izaway matuzu’ay a susinay emicen henay baziyong.",
"filedelete-otherreason": "zumaay/nicunusay a mahicaay:",
"allinnamespace": "sacahamin kasabelih ($1 pangangananay a salaedan)",
"allpagessubmit": "mileku",
"allpagesprefix": "kilul tu saayaw nu nakamuan palalitemuh tu kawaw kasabelih:",
+ "allpagesbadtitle": "matuzu’ay i kasabelih satangahan la’cus, yamalyilu labu kamu saca labu’ay a Wiki i saayaway sulit.\nwiza hakay yamalyilu cacay saca yadahay la’cus micukaymas i pyawti a tatebanan nu nisulitan.",
"allpages-bad-ns": "{{SITENAME}} inayi’ \"$1\" pangangananay a salaedan.",
"allpages-hide-redirects": "midimut miliyaw patatuzu’ kasabelih",
"cachedspecial-viewing-cached-ttl": "imahini kisu miciwsace tina belih a saduba'ay baziyong, pabaw-sahezek izaw $1 a mautang.",
"watchlistanontext": "patalabu henay amiciwsace saca misumad miazihay a piazihan-tu-sulit a kasacacay.",
"watchnologin": "caay henay patalabu",
"addwatch": "cunusen tu miazihay a piazihan-tu-sulit",
+ "addedwatchtext-talk": "\"[[:$1]]\" atu mahizaay u kasabelih micunus tutayza itisuwan [[Special:Watchlist|miazihay a piazihan tu sulit]]",
"addedwatchtext-short": "miazihay a piazihan-tu-sulit nu misu macunus tu kasabelih \"$1\".",
"removewatch": "misipu nay misisip a piazihan-tu-sulit",
+ "removedwatchtext": "makayza [[Special:Watchlist|tisuwan miazihay a piazihan tu sulit]] misipu kasabelih \"[[:$1]]\" atu u matatengil kasabelih.",
+ "removedwatchtext-talk": "makayza tisuwan [[Special:Watchlist|miazihay a piazihan tu sulit]] misipu \"[[:$1]]\" atu mahizaay u kasabelih.",
"removedwatchtext-short": "miazihay a piazihan-tu-sulit nu misu masipu kasabelih \"$1\" tuway.",
"watch": "miazih",
"watchthispage": "miazih tuyni kasabelih",
"enotif_subject_moved": "{{SITENAME}} $2 milimad kasabelih $1",
"enotif_subject_restored": "{{SITENAME}} $2 patiku kasabelih $1 tuway",
"enotif_subject_changed": "{{SITENAME}} $2 masumad tuway kasabelih $1",
+ "enotif_body_intro_deleted": "{{SITENAME}} $2 masipu tu kasabelih $1 i $PAGEEDITDATE, piazihen i $3.",
"enotif_anon_editor": "paceba panganganay a misaungayay $1",
"enotif_minoredit": "payni mikilulay a mikawaway-kalumyiti",
"deletepage": "misipu tu kasabelih",
"deletecomment": "mahicaay:",
"deleteotherreason": "zumaay/nicunusay a mahicaay:",
"deletereasonotherlist": "zuma a mahicaay",
+ "deletereason-dropdown": "* maazihay tu sa masipu tu mahicaay \n** sizuma sa palatuh \n** pauning\n** maalaw nisanga’an niza tu tungus a kawaw \n** masacudaday milunguc\n** malepi’ay miliyaw patatuzau’",
"deleteprotected": "tina kasabelih madiputay tu, la’cus kisu misipu tina kasabelih.",
"rollback": "panukasan mikawaway-kalumyiti",
"rollbacklink": "panukasan",
"cantrollback": "la’cus patiku mikawaway-kalumyiti;\ntina kasabelih a sazikuz paaninay u kinacacay a masacudaday.",
"alreadyrolled": "la’cus patiku nay [[User:$2|$2]] ([[User talk:$2|sasukamu]]{{int:pipe-separator}}[[Special:Contributions/$2|{{int:contribslink}}]] sapihica sazikuzay cacay mikawaway-kalumyiti [[:$1]], izawtu zumaay tatemaw mikawaway-kalumyiti saca patikutu kya kasabelih.)\n\nsazikuzay a cacay mikawaway-kalumyiti kya kasabelih a misaungayay sa ku [[User:$3|$3]] ([[User talk:$3|sasukamu]]{{int:pipe-separator}}[[Special:Contributions/$3|{{int:contribslink}}]]).",
"editcomment": "mikawaway-kalumyiti pecu’ nu lacul ku: <em>$1</em>.",
+ "revertpage-nouser": "mapatiku tu midimut misaungayay ku mikawaway-kalumyiti malasazikuz {{GENDER:$1|[[User:$1|$1]]}} masumad nu ayaway a baziyong",
"rollback-success-notify": "mapatiku $1 nikawawan mikawaway-kalumyiti;\nmisumad patiku ta $2 masumad nu ayaway a sazikuz cacay baziyong. [$3 paazih ku masumaday]",
"sessionfailure-title": "kasasiket mungangaw",
"sessionfailure": "kisu patalabu kasasiketan mahiza simunday,\nsaka pataayaw-milangat kasasiketan maalaw atu madebung, tina saungay mapalawpes tuway.\npitatiku ayaway a kasabelih, miliyaw maasip kya kasabelih pitaneng aca.",
"protect_expiry_old": "Expiration time is in the past.",
"protect-unchain-permissions": "mihulak pamutek yadahay a midiput mapiliay",
"protect-text": "kapah kisu itini miciwsace atu misumad kasabelih <strong>$1</strong> a midiput tu kasalaylay.",
+ "protect-locked-blocked": "kasabelih malangat tuway, la’cus misumad midiput kasalaylay.\nisasa’ay kasabelih <strong>$1</strong> ayzaay a setin:",
+ "protect-locked-dblock": "nasulitan-sulu maazihen, la’cus misumad midiput kasalaylay.\nzikuz u kasabelih <strong>$1</strong> ayza setin:",
+ "protect-locked-access": "numisu a canghaw inayi’ ku tungus mabalic midiput kasaliyliy.\nisasa’ay kasabelih <strong>$1</strong> ayzaay a setin:",
"protect-default": "mahasa sacahamin misaungayay",
"protect-fallback": "mahasa dada’ ku \"$1\" situngusay a misaungayay",
"protect-level-autoconfirmed": "mahasa dada’ lunuk malucekay tu misaungayay",
"protect-existing-expiry-infinity": "masetin tuway a kakatekuhan: inayi’kakatekuhan",
"protect-otherreason": "zumaay/nicunusay a mahicaay:",
"protect-otherreason-op": "zuma a mahicaay",
+ "protect-dropdown": "* maazihay a pidiput mahicaay \n** matabesiw tu ku pisala’cus\n** tadayadah ku tatuni’ palatuh \n** hatay tu kaizawan a mikawaway-kalumyiti ngayaw\n** takalaw ku talabu’ay i kasabelih",
"protect-edit-reasonlist": "midiput a mahicaay nu mikawaway-kalumyiti",
"restriction-type": "tungus:",
"restriction-level": "kelec kasaselal:",
"undelete-error": "palawpes masipu kasabelih mungangaw",
"undelete-error-short": "palawpes masipu tangan mungangaw: $1",
"undelete-error-long": "imahini palawpes misipu tangan bahal mungangaw:\n\n$1",
+ "undelete-show-file-confirm": "pilucek kisu maydih miciwsace tu tangan \"<nowiki>$1</nowiki>\" i $2 $3 masipuay tu masumad nu ayaway?",
"undelete-show-file-submit": "hang",
"namespace": "pangangananay a salaedan:",
"invert": "kabelihan mipili’",
"ip_range_toolarge": "caay mahasa milangat kya taliyuk mangasiw /$1.",
"proxyblocker": "kutay sefu-kikay milangat-kikay",
"sorbsreason": "numisu a IP u puenengan i {{SITENAME}} pisaungayan DNSBL mapala mawawah midayli sefu-kikay",
+ "sorbs_create_account_reason": "numisu a IP puenengan i {{SITENAME}} pisaungay sa DNSBL mala mawawah kutay sefu-kikay.\nla’cus kisu panganganen ku canghaw.",
"softblockrangesreason": "IP puenengan nu misu ($1) inayi’ mahasa paceba pangangan paanin, pipatalabu.",
"xffblockreason": "IP puenengan nu misu pisaungay X-Forwarded-For satangahan, kisu saca pisaungay nu misu a kutay sefu-kikay malangat tuway.\nmalangatay a mahicaay ku:$1",
+ "cant-see-hidden-user": "maydih kisu milangatay a misaungayay malangat tuway zumasatu midimutay tuway.\ninayi’ kisu pidimut misaungayay tungus, la’cus kisu miciwsace saca mikawaway-kalumyiti sa misaungayay langat setyitase.",
"ipbblocked": "izay kisu malangat, sisa la’cus milangat saca mihulak malangatay a zuma misaungayay",
"ipbnounblockself": "caay mahasa mihulak malangat tu kisu.",
"lockdb": "pamutek tu sulu nu kalunasulitan",
"move-page": "milimad $1",
"move-page-legend": "milimad kasabelih",
"movepagetext": "isasa’ay a aazihan cudad kapah sapihica miliyaw pangangan cacay kasabelih, atu milimad mikabu kya kasabelih a sacahamin nazipa’an nasulitan ta izaw baluhay kalungangan a kasabelih.\nmaluman pyawti a kasabelih amiliyaw patatuzu’ kasabelih, payiza pisaungay baluhay pyawti a kasabelih.\npikinsa izaw haw ku [[Special:DoubleRedirects|hatusa miliyaw patatuzu’]] saca [[Special:BrokenRedirects|malepi’ay a miliyaw patatuzu’]] maydih misumad.\nizaw kisu sikining ngay masasiket palalid payiza tatenga’ay a kakitizaan.\n\npiazihen, amahica baluhayay a kasabelih kalungangan masaungay tuway, kyu tina kasabelih <strong> caay </strong> malimad tu zuma kakitizaan, anu caay baluhay kalungangan miliyaw patatuzu’ kasabelih zumasatu inayi’ amahicahica mikawaway-kalumyiti nazipa’an.\nmahiza sakamu, kapah kisu milimad mungangaw ta zuma kalungangan a kasabelih patiku ta saayaway kalungangan,uyzasa amana mitahpu amahicahica tu ayzaay kasabelih.\n\n<strong> azihen: </strong>\ntina saungay sakay manamuhay kasabelih hakay tadamaan atu talibahalay a sumad;\niayaw nu saungay kaluceki matineng kisu haw hakay kya teluc nay milimad.",
+ "movenologintext": "kanca kisu ku mapangangan tuway a misaungayay atu [[Special:UserLogin|patalabu]] kya taneng milimad tu kasabelih",
"movenotallowed": "inayi’ tungus milimad tu tangan.",
"movenotallowedfile": "inayi’ tungus milimad tu tangan.",
"cant-move-user-page": "inayi’ tungus kisu milimad misaungayay kasabelih (caay yamalyilu sailuc-kasabelih)",
"import-error-interwiki": "kasabelih \"$1\" kalungangan maliwan hizantu mala hekalay masasiket (interwiki) pisaungay, la’cus pacumud.",
"import-error-special": "kasabelih \"$1\" tungusay nu caay mahasa kasabelih a sazumaay azihen pangangananay a salaedan, la’cus pacumud.",
"import-error-invalid": "kasabelih \"$1\" pacumud tina Wiki a kalungangan la’cus, la’cus pacumud.",
+ "import-error-unserialize": "kasabelih \"$1\" sumad $2 la’cus pabelih-salaylay. tina masumad nu ayaway pisaungay $3 lacul tatudungen misanga’ i $4 a sasakawawen pasalaylayan.",
"import-error-bad-location": "tina a Wiki a kasabelih \"$1\" caay pidama pisaungay tu lacul tatudungen misanga’ $3, masumad nu ayaway $2 la’cus misuped tayza i kasabelih.",
"import-options-wrong": "{{PLURAL:$2|mapili’ay}} mungangaw: <nowiki>$1</nowiki>",
"import-rootpage-invalid": "matuzu’ay a limit-kasabelih satangahan la’cus.",
"filedelete-archive-read-only": "calay-belih(wangyi) sefu-kikay inayi’ malangat-misupet dilyikotoling \"$1\" suliten a tungus.",
"previousdiff": "← malumanay a mikawaway tu kalumyiti",
"nextdiff": "baluhayay mikawaway tu kalumyit →",
+ "mediawarning": "<strong>patalaw:</strong> tina tangan nikalahizaan hakay yamalyilu padetengan la’cusay kodo.\namahica mikawaw hakay u numisu a sisetyimo sakalepi’an.",
"imagemaxsize": "zunga pinalu hacica tabaki kelec:<br /><em>(saungay i tangan sapuelac kasabelih)</em>",
"thumbsize": "sukep tu zunga hacica-tabaki:",
"widthheightpage": "$1 × $2, $3 {{PLURAL:$3|ku kasabelih}}",
"file-info-gif-frames": "$1 {{PLURAL:$1|kulit sapat}}",
"file-info-png-frames": "$1 {{PLURAL:$1|kulit sapat}}",
"file-no-thumb-animation": "<strong>azihen: kyu sitaneng mikelec, tina tangan sukep tu zunga nayi’ ku laheci nu tunghwa</strong>",
+ "file-no-thumb-animation-gif": "<strong>piazihen: nay sitaneng kiyu makelec, tina nikalahizaan takalaw katingalaw GIF zunga inayi’ kananuwangay a teluc.</strong>",
"newimages": "baluhay tangan a sulu nu zunga",
"newimages-summary": "uyni sazumaay a kasabelih paazih sabaluhay patapabaw a tangan",
"newimages-legend": "kilim",
"namespacesall": "hamin",
"monthsall": "hamin",
"confirmemail": "milucekay tu imyiyo(email) puengan",
+ "confirmemail_noemail": "caay henay kisu kaw numisu [[Special:Preferences|setin tu kanamuhan]] ilabu’ misetin cacay kapahay a imyiyo(email) puenengan.",
"confirmemail_send": "imyiyo(email) malucekay-kodo",
"confirmemail_sent": "malucekay mapatigami tuway.",
+ "confirmemail_sendfailed": "{{SITENAME}} la’cus mapabahel ku numisu malucekay a tigami, kapikinsa tu imyiyo(email) puenengan izaw hakiya ku la’cusay tatebanan nu nisulitan.\n\npabahelay pacubelis: $1",
"confirmemail_invalid": "la’cus malucekay-kodo.\nkya kodo hakay mangasiw tuway.",
"confirmemail_needlogin": "$1 pilucek tu misuay a imyiyo(email) puenengan nu misu.",
+ "confirmemail_success": "numisu a imyiyo(email) malucekay tu. kapah kisu ayza [[Special:UserLogin|patalabu]] misaungay tina a calay-kakacawan(wangcan).",
"confirmemail_loggedin": "malucekay tu misuay imyiyo(email) puengengan.",
"confirmemail_subject": "{{SITENAME}} imyiyo(email) puenengan malucekay tuway",
"confirmemail_invalidated": "palawpes tu imyiyo(email) puenengan palucekay",
"watchlisttools-raw": "mikawaway-kalumyiti saayaway misisip a piazihan-tu-sulit",
"signature": "[[{{ns:user}}:$1|$2]] ([[{{ns:user_talk}}:$1| sasukamu ]])",
"timezone-local": "itizaay",
+ "duplicate-defaultsort": "<strong> patalaw:</strong> pataayaw tu kawaw tu kasalaylay pecec \"$2\" matineng mitahpu nasawniay pataayaw tu kawaw nu kasalaylay pecec \"$1\".",
"duplicate-displaytitle": "<strong>patalaw:</strong> paazih satangahan \"$2\" mitahpu ayaway paazih satangahan \"$1\".",
+ "restricted-displaytitle": "<strong>patalaw:</strong> anu paazih tu pyawti atu kasabelih tatenga’ay pyawti caay kalecad, masekipo tu paazih pyawti \"$1\".",
"invalid-indicator-name": "<strong> mungangaw:</strong> kasabelih setyitase micuzu’ay tu kawaw a <code>name</code> susin amana inayi’",
"version": "baziyong",
"version-extensions": "malacul tu sacunusan a sakaluk",
"version-credits-not-found": "caay katepa tina sacunusay a pulita kasakumi nu misayingaay cesyun",
"version-poweredby-others": "zuma",
"version-poweredby-translators": "translatewiki.net mibelihay",
+ "version-credits-summary": "mikukay kami isasa’ay a tadeamw ku [[Special:Version|MediaWiki]] a paanin",
"version-license-info": "MediaWiki ku paybalucu’ zwanti; kapah kisu sausi paybalucu’ zwanti kikingkay patahkalay a GNU hina kapulungan sapabeli tu kinli a cedang kakilulen, amiliyaw patiyak atu / saca amisumad tina cengse; namahicahica kisu sausi ku tina sapabeli tu kinli a cedang a sakatusa baziyong saca (kapah kisu mipili’ nay kisu) izikuzay a amahicahica baziyong.\n\ntina cengse patiyakay a patusukan sa ku maydih kapah nipabeli saedap, uyzasa caay mitelung amahicahica sikinin mihusiw; zumasatu caay milimek sakay matatungus-pacakayay saca uzumaay sasahicaan a matatungusay zasatu sikinin. kahica nu kawaw piazihan GNU hina kapulungan pabeli tu kinli.\n\nkanca kisu maladay tina cengse milayap [{{SERVER}}{{SCRIPTPATH}}/COPYING GNU hina kapulungan sapabeli tu kinli a cedang a mikilulay-cudad]; amahica inayi’, pipatigami patakus paybalucu’ zwanti kikingkay, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA, saca [//www.gnu.org/licenses/old-licenses/gpl-2.0.html ipabaw nu calay miasip].",
"version-software": "malacul tu ku zwanti",
"version-software-product": "nasang’ay a tuutuud",
"tags-create-reason": "mahicaay:",
"tags-create-submit": "patizeng",
"tags-create-no-name": "manakanca kisu matuzu’ay cacay aazihen a paya kalungangan.",
+ "tags-create-invalid-chars": "aazihen-paya kalungangan la’cus yamalyilu widi-bacu (<code>,</code>) saca u cielis-kenis (<code>/</code>).",
"tags-create-invalid-title-chars": "aazihen-paya kalungangan caay yamalyilu la’cus misaungayay kasabelih satangahan a tatebanan-nisulitan",
"tags-create-already-exists": "aazihen a paya \"$1\" izaw tu.",
"tags-create-warnings-above": "mitanam patizeng aazihen-paya \"$1\" tatukian mahica isasa’ {{PLURAL:$2|patalaw}}:",
"tags-delete-submit": "la’cus palawpes misipu tina aazihen a paya",
"tags-delete-not-allowed": "la’cus misipu nay sacunus misaheciay a aazihen-paya, anu... kya sacunus mahasa tuway",
"tags-delete-not-found": "aazihen a paya \"$1\" inayi’.",
+ "tags-delete-too-many-uses": "aazihen-paya \"$1\" macaedung ta $2 makatusatusa {{PLURAL:$2|masumad nu ayaway}}, tina dayhiwtu aazihen-paya a la’cus masipu.",
"tags-delete-warnings-after-delete": "aazihen-paya \"$1\" masipu tuway, nika matahkal isasa’ {{PLURAL:$2|patalaw}}",
"tags-delete-no-permission": "inayi’ tungus masipu aazihen a paya kisu.",
"tags-activate-title": "miteka aazihen a paya",
"htmlform-datetime-placeholder": "YYYY-MM-DD HH:MM:SS",
"htmlform-date-invalid": "matuzu’ kisu a sulyang caay kakapah ku taazihan a demiad, pitanam misaungay YYYY-MM-DD kese",
"htmlform-time-invalid": "matuzu’ay a sulyang nu misu caay kacacay kapah taazihan a tuki, pitanam misaungay HH:MM:SS kese",
+ "htmlform-datetime-invalid": "matuzu’ay u sulyang nu misu caay ka cacay kapah tu u taazihan a demiad atu tatukian, kapitanam misaungay YYYY-MM-DD HH:MM:SS kese",
"htmlform-date-toolow": "matuzu’ay a sulyang nu misu mahasaay a demiad i ayaw nu $1.",
"htmlform-date-toohigh": "matuzu’ay a sulyang i zikuz nu mahasaay a demiad $1.",
"htmlform-time-toolow": "namatuzu’ kisu a sulyang i ayaw nu saayaw mahasa a tuki $1.",
"revdelete-uname-unhid": "palawpes midimut misaungayay a kalungangan",
"revdelete-restricted": "caedung mikuwanay a kelec tuway",
"revdelete-unrestricted": "masipu tu ku mikuwanay a kelec",
+ "logentry-block-block": "$1 {{GENDER:$2|malangat tu}} {{GENDER:$4|$3}} kakatekuhan u $5 $6",
"logentry-block-unblock": "$1 {{GENDER:$2|mahulaktu ku langat}} {{GENDER:$4|$3}}",
+ "logentry-suppress-block": "$1 {{GENDER:$2|malangat tu}} {{GENDER:$4|$3}} kakatekuhan u $5 $6",
+ "logentry-suppress-reblock": "$1 {{GENDER:$2|masumad tuway}} {{GENDER:$4|$3}} a milangatay a setin kakatekuhan sa ku $5 $6",
"logentry-import-upload": "$1 nay tangan patapabaw {{GENDER:$2|pacumud}} $3",
"logentry-import-upload-details": "$1 pisaungay tangan patapabaw tuway {{GENDER:$2|pacumud}} $3 ($4 {{PLURAL:$4| misumad nu ayaway}})",
"logentry-import-interwiki": "$1 namakay zuma wiki {{GENDER:$2|pacumud}} $3",
+ "logentry-import-interwiki-details": "$1 namakayza $5 {{GENDER:$2|pacumud}} $3 ($4 {{PLURAL:$4|masumad nu ayaway}})",
"logentry-merge-merge": "$1 pala $3 {{GENDER:$2|mikabu}} ta $4 (masumad nu ayaway baziyong ta $5)",
"logentry-move-move": "$1 {{GENDER:$2|milimad tuway}} kasabelih $3 katukuh $4",
"logentry-move-move-noredirect": "$1 {{GENDER:$2|malimad tuway}} kasabelih $3 katukuh $4, caay pisubelid miliyaw patatuzau’",
"logentry-move-move_redir": "$1 malimad kasabelih $3 tu $4 zumasatu mitahpu nuayaway miliyaw patatuzau’",
+ "logentry-move-move_redir-noredirect": "$1 {{GENDER:$2|milimad tuway}} kasabelih $3 mitahpu miliyaw patatuzau’ kasabelih ta $4, caay piliwan miliyaw patatuzau’ kasabelih",
"logentry-patrol-patrol": "$1 {{GENDER:$2|mapasilusi}} kasabelih $3 a sumad $4 ku mapatayza tu mikibi",
"logentry-patrol-patrol-auto": "$1 malunuk tu {{GENDER:$2| silusi }} kasabelih $3 sumad $4 apatayza mikibi tu.",
"logentry-newusers-newusers": "{{GENDER:$2|patizeng}} misaungayay canghaw tuway $1",
"feedback-close": "malahecitu",
"feedback-external-bug-report-button": "munday nu patubeli",
"feedback-dialog-title": "patahkal tu kamu mihwidubaku",
+ "feedback-dialog-intro": "kapah kisu misaungay isasa’ay a kadayuman aazihan cudad pabahel tu nabalucu’an hwidubaku nu misu. u nabalucu’an nu misu a misaungay tu nu misu misaungayay a kalungangan cunusen tayza i kasabelih \"$1\".",
"feedback-error1": "mungangaw: la’cus sapulita API maminay a heci",
"feedback-error2": "mungangaw: mikawaway-kalumyiti mungangaw",
"feedback-error3": "mungangaw: API inayi’ patukil",
"feedback-message": "palatuh:",
"feedback-subject": "satangahan:",
"feedback-submit": "patayzaan",
+ "feedback-terms": "matineng kaku u numaku a pisaungay makutay nu cesyun yamalyilu leku tu saazihsay-sakaluk atu kawaw sisetyimo baziyong cesyun, zumasatu u cesyun atu nabalucu’an nu hwidubakumapalung patahkal kasasimel.",
"feedback-termsofuse": "patubeli kaku kilulen mamaala a cedang nipabeli nabalucu’an hwidubaku.",
"feedback-thanks": "kukay! nu misu a nabalucu’an hwidubaku mapatiyak tu kasabelih \"[$2 $1]\"",
"feedback-thanks-title": "kukay tisuwanan!",
"uploadstash-bad-path-unrecognized-thumb-name": "Невядомая назва мініятуры.",
"uploadstash-bad-path-no-handler": "Ня знойдзены апрацоўнік для mime-тыпу $1 файлу $2.",
"uploadstash-bad-path-bad-format": "Ключ «$1» мае няслушны фармат.",
+ "uploadstash-file-not-found": "Ключ «$1» ня знойдзены ў схованцы.",
"invalid-chunk-offset": "Няслушнае зрушэньне фрагмэнту",
"img-auth-accessdenied": "Доступ забаронены",
"img-auth-nopathinfo": "Адсутнічае PATH_INFO.\nВаш сэрвэр не ўстаноўлены на пропуск гэтай інфармацыі.\nМагчма, ён працуе праз CGI і не падтрымлівае img_auth.\nГлядзіце https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Image_Authorization.",
"nosuchusershort": "\"$1\" নামের কোন ব্যবহারকারী নেই। নামের বানান পরীক্ষা করুন।",
"nouserspecified": "আপনাকে অবশ্যই ব্যবহারকারী নাম নির্দিষ্ট করতে হবে।",
"login-userblocked": "এই ব্যবহারকারীকে বাধা দেওয়া হয়েছে। প্রবেশ সম্ভব নয়।",
- "wrongpassword": "আপনি ভুল পাসওয়ার্ড ব্যবহার করেছেন। অনুগ্রহ করে আবার চেষ্টা করুন।",
+ "wrongpassword": "à¦\86পনি à¦à§\81ল বà§\8dযবহারà¦\95ারà§\80 নাম বা পাসà¦\93য়ারà§\8dড বà§\8dযবহার à¦\95রà§\87à¦\9bà§\87ন। à¦\85নà§\81à¦\97à§\8dরহ à¦\95রà§\87 à¦\86বার à¦\9aà§\87ষà§\8dà¦\9fা à¦\95রà§\81ন।",
"wrongpasswordempty": "পাসওয়ার্ড প্রবেশের ঘরটি খালি ছিল। দয়া করে আবার চেষ্টা করুন।",
"passwordtooshort": "পাসওয়ার্ড কমপক্ষে {{PLURAL:$1|১ অক্ষরের|$1 অক্ষরের}} হতে হবে।",
"passwordtoolong": "পাসওয়ার্ড {{PLURAL:$1|১|$1}} অক্ষরের চেয়ে দীর্ঘ হতে পারবে না।",
"prefs-email": "ইমেইলের পছন্দগুলি",
"prefs-rendering": "অবয়ব",
"saveprefs": "সংরক্ষণ",
- "restoreprefs": "সà¦\95ল পà§\82রà§\8dবনিরà§\8dধারিত সà§\87à¦\9fিà¦\82 ফিরিয়à§\87 à¦\86নà§\8b (সকল অংশে)",
+ "restoreprefs": "সà¦\95ল পà§\82রà§\8dবনিরà§\8dধারিত সà§\87à¦\9fিà¦\82 ফিরিয়à§\87 à¦\86নà§\81ন (সকল অংশে)",
"prefs-editing": "সম্পাদনা",
"searchresultshead": "অনুসন্ধান",
"stub-threshold": "অসম্পূর্ণ নিবন্ধের সংযোগ ফরম্যাটিং-এর জন্য এরকম নিবন্ধের আকারের প্রান্তসীমা ($1):",
"historywarning": "<strong>Тергам бе:</strong> Хьо дӀаяккха гӀертачу агӀона, нисдарийн истори ю, $1 {{PLURAL:$1|верси}} йолуш:",
"historyaction-submit": "Гайта",
"confirmdeletetext": "Хьо гӀерта агӀо я файл дӀаяккха '''дехар до''', дӀаяккхале хьалха хьажа [[{{MediaWiki:Policy-url}}|кхуза]].",
- "actioncomplete": "Ð\94еÑ\88деÑ\80г кхочушдина",
- "actionfailed": "Кхочушъ дина дац",
+ "actioncomplete": "Ð\9aхочушдина",
+ "actionfailed": "Кхочушъ цадина",
"deletedtext": "«$1» дӀаяьккхина яра.\nХьажа. $2 хьажарна оцу тӀаьхьара дӀаяхначара могӀаме.",
"dellogpage": "ДӀадаьхнарш долу тéптар",
"dellogpagetext": "Лахахь гойтуш ю тӀаьххьара дӀаяьхнарш.",
"timezoneregion-indian": "ئوقیانووسی ھیند",
"timezoneregion-pacific": "ئۆقیانووسی ئارام",
"allowemail": "ڕێگە بدە بە بەکارھێنەرانی تر کە ئیمەیلم بۆ بنێرن",
+ "email-blacklist-label": "ڕێگری لە ناردنی پۆستی ئەلیکترۆنی لە لایەن ئەم بەکارھێنەرانە بکە:",
"prefs-searchoptions": "گەڕان",
"prefs-namespaces": "بۆشایی ناوەکان",
"default": "بنچینەیی",
"rcfilters-filter-newpages-label": "دروستکردنی پەڕەکان",
"rcfilters-filter-categorization-label": "گۆڕانکاری پۆلەکان",
"rcfilters-filter-logactions-label": "کردارە لۆگییەکان",
- "rcfilters-view-advanced-filters-label": "پاڵوێنە پێشکەوتووەکان",
"rcnotefrom": "ژێرەوە {{PLURAL:$5|گۆڕانکارییەکەیە|گۆڕانکارییەکانە}} لە <strong>$3، $4</strong>ەوە (ھەتا <strong>$1</strong> نیشان دراوە).",
"rclistfrom": "گۆڕانکارییە نوێکان نیشان بدە بە دەستپێکردن لە $3 $2",
"rcshowhideminor": "دەستکارییە بچووکەکان $1",
"logentry-delete-delete": "$1 پەڕەی $3ی {{GENDER:$2|سڕییەوە}}",
"logentry-delete-delete_redir": "$1 {{GENDER:$2|ڕەوانەکەری}} $3 سڕیەوە",
"logentry-delete-restore": "$1 پەڕەی $3ی {{GENDER:$2|ھێنایەوە}} ($4)",
+ "restore-count-revisions": "{{PLURAL:$1|$1 پێداچوونەوە}} هێنرایەوە",
"logentry-delete-revision": "$1 دەرکەوتنی {{PLURAL:$5|پێداچوونەوەیەکی|$5 پێداچوونەوەی}} پەڕەی $3ی {{GENDER:$2|گۆڕیی}}: $4",
"logentry-suppress-delete": "$1 پەڕەی $3 {{GENDER:$2|بەرگری کرد}}.",
"revdelete-content-hid": "ناوەرۆک شاردراوە",
"nosuchusershort": "Der Benutzername „$1“ ist nicht vorhanden. Bitte überprüfe die Schreibweise.",
"nouserspecified": "Bitte gib einen Benutzernamen an.",
"login-userblocked": "{{GENDER:$1|Dieser Benutzer|Diese Benutzerin}} ist gesperrt. Die Anmeldung ist nicht erlaubt.",
- "wrongpassword": "Das Passwort ist falsch. Bitte versuche es erneut.",
+ "wrongpassword": "Der Benutzername oder das Passwort ist falsch. Bitte versuche es erneut.",
"wrongpasswordempty": "Es wurde kein Passwort eingegeben. Bitte versuche es erneut.",
"passwordtooshort": "Passwörter müssen mindestens {{PLURAL:$1|1 Zeichen|$1 Zeichen}} lang sein.",
"passwordtoolong": "Passwörter können nicht länger als {{PLURAL:$1|ein|$1}} Zeichen sein.",
"nosuchusershort": "There is no user by the name \"$1\".\nCheck your spelling.",
"nouserspecified": "You have to specify a username.",
"login-userblocked": "This user is blocked. Login not allowed.",
- "wrongpassword": "Incorrect password entered.\nPlease try again.",
+ "wrongpassword": "Incorrect username or password entered.\nPlease try again.",
"wrongpasswordempty": "Password entered was blank.\nPlease try again.",
"passwordtooshort": "Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.",
"passwordtoolong": "Passwords cannot be longer than {{PLURAL:$1|1 character|$1 characters}}.",
"underline-never": "Neniam",
"underline-default": "Pravaloro laŭ foliumilo",
"editfont-style": "Tipara stilo de redakta tekstujo",
- "editfont-default": "Retumila defaŭlto",
"editfont-monospace": "Egallarĝa tiparo",
"editfont-sansserif": "Senserifa tiparo",
"editfont-serif": "Serifa tiparo",
"explainconflict": "Iu alia ŝanĝis la paĝon post kiam vi ekredaktis.\nLa supra tekstujo enhavas la aktualan tekston de la artikolo.\nViaj ŝanĝoj estas en la malsupra tekstujo.\nVi devas mem kunfandi viajn ŝanĝojn kaj la jaman tekston.\n'''Nur''' la teksto en la supra tekstujo estos konservita kiam vi alklakos \"$1\".",
"yourtext": "Via teksto",
"storedversion": "Registrita versio",
- "nonunicodebrowser": "'''ATENTU: Via foliumilo ne eltenas unikodon, bonvolu ŝanĝi ĝin antaŭ ol redakti artikolon.'''",
"editingold": "'''AVERTO: Vi nun redaktas malnovan version de tiu ĉi artikolo.\nSe vi konservos vian redakton, ĉiuj ŝanĝoj faritaj post tiu versio perdiĝos.'''",
+ "unicode-support-fail": "Ŝajnas ke via krozilo ne subtenas Unikodon. Tiu subteno estas necesa por redakti paĝojn, tial via redakto ne estis konservita.",
"yourdiff": "Malsamoj",
"copyrightwarning": "Bonvolu noti, ke ĉiu kontribuaĵo al la {{SITENAME}} estu rigardata kiel eldonita laŭ $2 (vidu je $1). Se vi volas, ke via verkaĵo ne estu redaktota senkompate kaj disvastigota laŭvole, ne alklaku \"Konservi\".<br />\nVi ankaŭ ĵuras, ke vi mem verkis la tekston, aŭ ke vi kopiis ĝin el fonto senkopirajta.\n'''NE UZU AŬTORRAJTE PROTEKTATAJN VERKOJN SENPERMESE!'''",
"copyrightwarning2": "Bonvolu noti ke ĉiuj kontribuoj al {{SITENAME}} povas esti reredaktitaj, ŝanĝitaj aŭ forigitaj de aliaj kontribuantoj. Se vi ne deziras, ke viaj verkoj estu senkompate reredaktitaj, ne publikigu ilin ĉi tie.<br />\nVi ankaŭ promesu al ni ke vi verkis tion mem aŭ kopiis el publika domajno aŭ simila libera fonto (vidu $1 por detaloj).\n'''NE PROPONU KOPIRAJTITAJN VERKOJN SEN PERMESO!'''",
"readonlywarning": "'''AVERTO: La datumbazo estas ŝlosita por teknika laboro, do vi ne povas konservi viajn redaktojn ĉi-momente.'''\nVi eble volus elkopii kaj alglui vian tekston al tekstdosiero kaj konservi ĝin por posta uzo.\n\nLa administranto kiu ŝlosis ĝin donis ĉi tiun eksplikaĵon: $1",
"protectedpagewarning": "'''Averto: Ĉi tiu paĝo estas ŝlosita kontraŭ redaktado krom de administrantoj.'''\nJen la lasta protokolero provizita por via referenco:",
"semiprotectedpagewarning": "'''Notu:''' Ĉi tiu paĝo estas ŝlosita tiel ke nur ensalutintaj uzantoj povas redakti ĝin.\nJen la lasta protokolero por via referenco:",
- "cascadeprotectedwarning": "<strong>Averto:</strong> Ĉi tiu paĝo estas ŝlosita, tiel ke nur uzantoj kun administrantaj privilegioj povas redakti ĝin, ĉar ĝi estas inkludita en la {{PLURAL:$1|sekvan kaskade protektitan paĝon|sekvajn kaskade protektitajn paĝojn}}:",
+ "cascadeprotectedwarning": "<strong>Averto:</strong> Ĉi tiu paĝo estas ŝlosita, tiel ke nur uzantoj kun administraj privilegioj povas redakti ĝin, ĉar ĝi estas inkludita en la {{PLURAL:$1|sekvan kaskade protektitan paĝon|sekvajn kaskade protektitajn paĝojn}}:",
"titleprotectedwarning": "'''Averto: Ĉi tiu paĝo estis ŝlosita tial nur [[Special:ListGroupRights|specifaj rajtoj]] estas bezonaj por krei ĝin.'''\nJen la lasta protokolero por via referenco:",
"templatesused": "{{PLURAL:$1|Ŝablono uzata|Ŝablonoj uzataj}} en ĉi tiu paĝo:",
"templatesusedpreview": "{{PLURAL:$1|Ŝablono uzata|Ŝablonoj uzataj}} en ĉi tiu antaŭrigardo:",
"post-expand-template-argument-category": "Paĝoj enhavantaj forlasitajn argumentojn de ŝablonoj",
"parser-template-loop-warning": "Rekursiva ŝablono estis trovita: [[$1]]",
"template-loop-category": "Paĝoj kun ŝablonaj iteracioj",
+ "template-loop-category-desc": "Ĉi tiu paĝo enhavas ŝablonan ciklon, t. e. ŝablono kiu rikure vokas sin mem.",
+ "template-loop-warning": "<strong>Averto:</strong> Ĉi tiu paĝo vokas [[:$1]], kaŭzante ŝablonan ciklon (senfinan rikuran vokadon).",
"parser-template-recursion-depth-warning": "Ŝablona profundeco transpasis limon ($1)",
"language-converter-depth-warning": "Profundo de lingvo-konvertilo preterpasis limon ($1)",
"node-count-exceeded-category": "Paĝoj kie la nombro da nodoj estas preterpasita",
"search-interwiki-caption": "Kunprojektoj",
"search-interwiki-default": "Rezultoj de $1:",
"search-interwiki-more": "(plu)",
+ "search-interwiki-more-results": "pliaj rezultoj",
"search-relatedarticle": "Relataj",
"searchrelated": "rilataj",
"searchall": "ĉiuj",
"timezoneregion-indian": "Hinda Oceano",
"timezoneregion-pacific": "Pacifiko",
"allowemail": "Ebligi akceptadon de retmesaĝoj de aliaj uzantoj",
+ "email-blacklist-label": "Malpermesu al jenaj uzantoj mesaĝi al mi:",
"prefs-searchoptions": "Serĉi",
"prefs-namespaces": "Nomspacoj",
"default": "defaŭlte",
"youremail": "Retadreso:",
"username": "{{GENDER:$1|Uzantnomo}}:",
"prefs-memberingroups": "{{GENDER:$2|Ano}} de {{PLURAL:$1|grupo|grupoj}}:",
+ "group-membership-link-with-expiry": "$1 (ĝis $2)",
"prefs-registration": "Tempo de registrado:",
"yourrealname": "Vera nomo:",
"yourlanguage": "Lingvo",
"saveusergroups": "Konservi grupojn de {{GENDER:$1|uzantoj}}",
"userrights-groupsmember": "Membro de:",
"userrights-groupsmember-auto": "Implica membro de:",
- "userrights-groups-help": "Vi povas modifi la grupojn kiun ĉi uzanto enestas.\n* Markita markbutono signifas ke la uzanto estas en tiu grupo.\n* Nemarkita markbutono signifas ke la uzanto ne estas in tiu grupo.\n* Steleto (*) signifas ke vi ne povas forigi la grupon post vi aldonis ĝin, aŭ male.",
+ "userrights-groups-help": "Vi povas modifi la grupojn en kiuj ĉi tiu uzanto estas.\n* Markita markbutono (kesto) signifas ke la uzanto estas en tiu grupo.\n* Nemarkita markbutono (kesto) signifas ke la uzanto ne estas en tiu grupo.\n* Steleto (*) signifas ke vi ne povas forigi la grupon post ke vi aldonis ĝin, aŭ male.",
"userrights-reason": "Kialo:",
"userrights-no-interwiki": "Vi ne rajtas redakti uzanto-rajtojn en aliaj vikioj.",
"userrights-nodatabase": "Datumbazo $1 ne ekzistas aŭ ne estas loka.",
"userrights-changeable-col": "Grupoj kiujn vi povas ŝanĝi",
"userrights-unchangeable-col": "Grupoj kiujn vi ne povas ŝanĝi",
+ "userrights-expiry-current": "Eksvalidiĝas je $1",
+ "userrights-expiry-none": "Ne eksvalidiĝas",
+ "userrights-expiry": "Eksvalidiĝos:",
+ "userrights-expiry-othertime": "Alia tempo:",
+ "userrights-expiry-options": "1 tago:1 tago,1 semajno:1 semajno,1 monato:1 monato,3 monatoj:3 monatoj,6 monatoj:6 monatoj,1 jaro:1 jaro",
+ "userrights-invalid-expiry": "La eksvalidiĝa tempo por la grupo „$1“ estas nevalida.",
+ "userrights-expiry-in-past": "La eksvalidiĝas tempo por la grupo „$1“ jam pasis.",
"userrights-conflict": "Konflikto ĉe la ŝanĝo de uzantorajtoj! Bonvolu kontroli kaj konfirmi viajn ŝanĝojn.",
"group": "Grupo:",
"group-user": "Uzantoj",
"recentchanges-legend": "Opcioj pri lastaj ŝanĝoj",
"recentchanges-summary": "Per ĉi tiu paĝo vi povas sekvi la plej lastajn ŝanĝojn en la {{SITENAME}}.",
"recentchanges-noresult": "En la donita tempo ne estis ŝanĝoj, kiuj konformas al la kriterioj.",
+ "recentchanges-timeout": "Ĉi tiu serĉo transiris sian tempolimon. Vi eble provu malsamajn serĉajn parametrojn.",
"recentchanges-feed-description": "Sekvi la plej lastatempajn ŝanĝojn al la vikio en ĉi tiu fonto.",
"recentchanges-label-newpage": "Ĉi tiu redakto kreis novan paĝon",
"recentchanges-label-minor": "Ĉi tiu estas eta redakto",
"recentchanges-legend-heading": "<strong>Klarigo:</strong>",
"recentchanges-legend-newpage": "{{int:recentchanges-label-newpage}} (vidu ankaŭ [[Special:NewPages|liston de novaj paĝoj]])",
"recentchanges-submit": "Montri",
+ "rcfilters-tag-remove": "Forigi „$1“",
+ "rcfilters-legend-heading": "<strong>Listo de mallongigoj:</strong>",
+ "rcfilters-other-review-tools": "Aliaj reviziaj iloj",
+ "rcfilters-group-results-by-page": "Grupigi rezultojn laŭ paĝoj",
+ "rcfilters-grouping-title": "Grupigo",
"rcfilters-activefilters": "Aktivaj filtriloj",
+ "rcfilters-advancedfilters": "Altnivelaj filtriloj",
+ "rcfilters-limit-title": "Ŝanĝoj montrotaj",
+ "rcfilters-limit-shownum": "Montri la {{PLURAL:$1|lastan ŝanĝon|lastajn $1 ŝanĝojn}}",
+ "rcfilters-days-title": "Ĵusaj tagoj",
+ "rcfilters-hours-title": "Ĵusaj horoj",
+ "rcfilters-days-show-days": "$1 {{PLURAL:$1|tago|tagoj}}",
+ "rcfilters-days-show-hours": "$1 {{PLURAL:$1|horo|horoj}}",
+ "rcfilters-highlighted-filters-list": "Emfazita: $1",
+ "rcfilters-quickfilters": "Konservitaj filtriloj",
+ "rcfilters-quickfilters-placeholder-title": "Ankoraŭ neniuj filtriloj estas konservitaj",
+ "rcfilters-savedqueries-defaultlabel": "Konservitaj filtriloj",
+ "rcfilters-savedqueries-rename": "Alinomi",
+ "rcfilters-savedqueries-remove": "Forigi",
+ "rcfilters-savedqueries-new-name-label": "Nomo",
+ "rcfilters-savedqueries-new-name-placeholder": "Priskribas la celon de la filtrilo",
+ "rcfilters-savedqueries-apply-label": "Krei filtrilon",
+ "rcfilters-savedqueries-cancel-label": "Nuligi",
"rcfilters-restore-default-filters": "Restarigi defaŭltajn filtrilojn",
"rcfilters-clear-all-filters": "Nuligi ĉiujn filtrilojn",
+ "rcfilters-show-new-changes": "Vidi la plej novajn ŝanĝojn",
"rcfilters-search-placeholder": "Filtri lastajn ŝanĝojn (vi povas elekti aŭ ekskribi)",
"rcfilters-invalid-filter": "Nevalida filtrilo",
"rcfilters-empty-filter": "Ekzistas neniuj aktivaj filtriloj. Ĉiuj kontribuaĵoj estas montritaj.",
"rcfilters-filterlist-title": "Filtriloj",
+ "rcfilters-filterlist-whatsthis": "Kiel funkcias ĉi tiuj?",
+ "rcfilters-filterlist-feedbacklink": "Diru al ni kion vi opinias pri tiuj (novaj) filtraj iloj.",
+ "rcfilters-highlightbutton-title": "Emfazi rezultojn",
+ "rcfilters-highlightmenu-title": "Elekti koloron",
"rcfilters-filterlist-noresults": "Neniuj filtriloj troviĝis",
"rcfilters-filtergroup-authorship": "Redakta aŭtoreco",
"rcfilters-filter-editsbyself-label": "Viaj redaktoj",
- "rcfilters-filter-editsbyself-description": "Viaj redaktoj.",
+ "rcfilters-filter-editsbyself-description": "Viaj kontribuoj.",
"rcfilters-filter-editsbyother-label": "Redaktoj de aliuloj",
"rcfilters-filter-editsbyother-description": "Redaktoj kreitaj far aliaj uzantoj (krom vi).",
"rcfilters-filtergroup-userExpLevel": "Spertonivelo (nur por registritaj uzantoj)",
"block": "Forbari uzanton",
"unblock": "Malforbari uzanton",
"blockip": "Forbari {{GENDER:$1|uzanton}}",
- "blockip-legend": "Forbari uzanton",
"blockiptext": "Uzu la sube formularon por forbari skribpermison de specifa uzantnomo aŭ IP-adreso. Tiu endus ''nur'' por eviti vandalismon, kaj laŭe la [[{{MediaWiki:Policy-url}}|politiko]].\nKlarigu la precizan kialon sube (ekzemple, citu paĝojn, kiuj estis vandaligitaj).\nVi povas forbari IP-adresan intervalon per la [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]a sintakso; la plej ampleksa intervalo estas /$1 por IPv4 kaj /$2 por IPv6.",
"ipaddressorusername": "IP-adreso aŭ salutnomo:",
"ipbexpiry": "Blokdaŭro",
"anonpreviewwarning": "<em>No has iniciado sesión. Al guardar los cambios se almacenará tu dirección IP en el historial de edición de esta página.</em>",
"missingsummary": "<strong>Atención:</strong> no has escrito un resumen de edición.\nSi haces clic de nuevo en «$1» tu edición se grabará sin él.",
"selfredirect": "<strong>Advertencia:</strong> estás redirigiendo esta página a sí misma.\nPuede que hayas especificado erróneamente el destino de la redirección, o quizá estés editando la página equivocada. En cualquier caso, si haces clic de nuevo en \"$1\", se creará la redirección.",
- "missingcommenttext": "Escribe un comentario a continuación.",
+ "missingcommenttext": "Escribe un comentario.",
"missingcommentheader": "<strong>Atención:</strong> no has escrito un asunto para este comentario.\nSi haces clic nuevamente en \"$1\" tu edición se grabará sin él.",
"summary-preview": "Previsualización del resumen de edición:",
"subject-preview": "Previsualización del asunto:",
"rcfilters-savedqueries-apply-and-setdefault-label": "Crear filtro predeterminado",
"rcfilters-savedqueries-cancel-label": "Cancelar",
"rcfilters-savedqueries-add-new-title": "Guardar ajustes de filtro actuales",
- "rcfilters-savedqueries-already-saved": "Estos filtros son ja almacenados",
+ "rcfilters-savedqueries-already-saved": "Ya se guardaron estos filtros. Modifica tu configuración para crear un filtro guardado nuevo.",
"rcfilters-restore-default-filters": "Restaurar filtros predeterminados",
"rcfilters-clear-all-filters": "Borrar todos los filtros",
"rcfilters-show-new-changes": "Ver cambios más recientes",
"rcfilters-filter-user-experience-level-unregistered-label": "No registrados",
"rcfilters-filter-user-experience-level-unregistered-description": "Editores no conectados.",
"rcfilters-filter-user-experience-level-newcomer-label": "Recién llegados",
- "rcfilters-filter-user-experience-level-newcomer-description": "Usuarios registrados con menos de 10 ediciones y 4 días de actividad.",
+ "rcfilters-filter-user-experience-level-newcomer-description": "Usuarios registrados con menos de diez ediciones o cuatro días de actividad.",
"rcfilters-filter-user-experience-level-learner-label": "Aprendices",
"rcfilters-filter-user-experience-level-learner-description": "Editores registrados cuya experiencia se ubica entre \"Recién Llegados\" y \"Usuarios experimentados\".",
"rcfilters-filter-user-experience-level-experienced-label": "Usuarios experimentados",
"recentchanges-summary": "Orrialde honetan ikus ditzakezu wiki honetan egindako azken aldaketak.",
"recentchanges-noresult": "Ez da egon aldaketarik emandako tartean irizpide hau betetzen dutenik.",
"recentchanges-timeout": "Bilaketa honek denbora muga gainditu du. Agian beste parametro batzuekin bilatu nahi duzu.",
+ "recentchanges-network": "Errore tekniko baten ondorioz, ez da emaitzarik kargatu. Saiatu orria freskatzen.",
"recentchanges-feed-description": "Sindikazio honetan wikian eginiko azkeneko aldaketak jarrai daitezke.",
"recentchanges-label-newpage": "Aldaketa honek orri berri bat sortu du",
"recentchanges-label-minor": "Aldaketa hau txikia da",
"rcfilters-savedqueries-apply-and-setdefault-label": "Iragazkia sortu",
"rcfilters-savedqueries-cancel-label": "Utzi",
"rcfilters-savedqueries-add-new-title": "Gorde oraingo iragazki ezarpenak",
+ "rcfilters-savedqueries-already-saved": "Iragazki hauek dagoeneko gorde dira. Aldatu ezarpenak Gordetako Iragazki berri bat sortzeko.",
"rcfilters-restore-default-filters": "Leheneratu iragazki lehenetsiak",
"rcfilters-clear-all-filters": "Iragazki guztiak garbitu",
"rcfilters-show-new-changes": "Aldaketa berrienak ikusi",
- "rcfilters-search-placeholder": "Azken aldaketak iragazi (arakatu ala idazten hasi)",
+ "rcfilters-search-placeholder": "Aldaketak iragazi (menua erabili edo bilatu iragazkiaren izena)",
"rcfilters-invalid-filter": "Balio ez duen iragazkia",
"rcfilters-empty-filter": "Filtro aktiborik ez dago. Ekarpen guztiak erakusten.",
"rcfilters-filterlist-title": "Iragazkiak",
"uploadstash-refresh": "Fitxategien zerrenda eguneratu",
"uploadstash-thumbnail": "Koadro txikia ikusi",
"uploadstash-exception": "Igoera ezin izan da ($1) biltegian gorde: \"$2\".",
+ "uploadstash-bad-path": "Bidea ez da existitzen.",
+ "uploadstash-bad-path-invalid": "Bideak ez du balio.",
+ "uploadstash-bad-path-unknown-type": "Mota ezezaguna \"$1\".",
+ "uploadstash-file-not-found-missing-content-type": "Eduki-motako goiburua falta da.",
+ "uploadstash-file-not-found-not-exists": "Ezin da bidea aurkitu, edo ez da fitxategi arrunta.",
+ "uploadstash-file-too-large": "Ezin da $1 byte baino handiagoa den fitxategia zerbitzatu.",
+ "uploadstash-not-logged-in": "Erabiltzaileak ez du saioa hasi, fitxategiak erabiltzailearenak izan behar dira.",
+ "uploadstash-wrong-owner": "($1) Fitxategia ez da uneko erabiltzailearena.",
+ "uploadstash-no-such-key": "($1) gakorik ez dago, ezin da ezabatu.",
+ "uploadstash-no-extension": "Luzapena nulua da.",
"invalid-chunk-offset": "Desplazamendu zati baliogabea",
"img-auth-accessdenied": "Sarbide ukatua",
"img-auth-nopathinfo": "PATH_INFO falta da.\nZure zerbitzaria ez dago informazio hau pasatzeko konfiguratuta.\nCGI-oinarriduna izan daiteke, img_auth onartzen ez duena.\nIkusi https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Image_Authorization.",
"newimages-hidepatrolled": "巡回済みのアップロードを隠す",
"newimages-mediatype": "メディアの種類:",
"noimages": "表示できるものがありません。",
- "gallery-slideshow-toggle": "ã\83\88ã\82°ã\83«ã\82µã\83 ã\83\8dã\82¤ã\83«",
+ "gallery-slideshow-toggle": "ã\82µã\83 ã\83\8dã\82¤ã\83«ã\82\92å\88\87ã\82\8aæ\9b¿ã\81\88ã\82\8b",
"ilsubmit": "検索",
"bydate": "日付順",
"sp-newimages-showfrom": "$1の$2以降の新しいファイルを表示",
"anonpreviewwarning": "<em>Panjenengan durung mlebu log. Yèn disimpen, alamat IP panjenengan bakal kacathet ing sajarah besutan kaca iki.</em>",
"missingsummary": "<strong>Pangéling-éling:</strong> Panjenengan ora ngisèni ringkesané besutan.\nManawa panjenengan mencèt \"$1\" manèh, besutané panjengan bakal kasimpen tanpa katerangan.",
"selfredirect": "<strong>Pepéling:</strong> Panjenengan ngalih kaca iki menyang kaca iki dhéwé.\nPanjenengan mungkin salah wènèh paraning alihan utawa salah mbesut kaca.\nYèn panjenengan ngeklik \"$1\" manèh, kaca alihan bakal digawé.",
- "missingcommenttext": "Mangga isi tanggepan ing ngisor iki.",
+ "missingcommenttext": "Mangga awèh tanggepan.",
"missingcommentheader": "'''Pangéling:''' Sampéyan durung nyadhiyakaké judhul/jejer kanggo tanggepan iki.\nYèn Sampéyan klik \"$1\" manèh, suntingan Sampéyan bakal kasimpen tanpa kuwi.",
"summary-preview": "Pratuduh ringkesan besutan:",
"subject-preview": "Pratuduh jejer:",
"deletecomment": "Alesan:",
"deleteotherreason": "Alesan liya utawa tambahan:",
"deletereasonotherlist": "Alesan liya",
- "deletereason-dropdown": "*Alesan pambusakan\n** Spam\n** Vandalisme\n** Nglanggar hak cipta\n** Disuwun sing nulis\n** Pangalihan rusak",
+ "deletereason-dropdown": "*Alesan pambusakan\n** Spam\n** Vandhalisme\n** Terakan hak cipta\n** Panyuwun sing nulis\n** Alihan rusak",
"delete-edit-reasonlist": "Besut alesané pambusak",
"delete-toobig": "Kaca iki darbé sajarah besutan sing dawa, punjul $1 {{PLURAL:$1|owahan}}.\nMbusak kaca sing kaya mangkono wis ora diidinaké kanggo njagani supaya ora ana sing rusak ing {{SITENAME}}.",
"delete-warning-toobig": "Kaca iki duwé sajarah besut sing dawa, punjul $1 {{PLURAL:$1|révisi}}.\nMbusak kaca iki bisa ngrusak lakuné basis dhata ing {{SITENAME}};\nkudu diayahi kanthi ngati-ati.",
"uploadstash-thumbnail": "Miniaturbild weisen",
"uploadstash-bad-path": "Wee (path) gëtt et net.",
"uploadstash-bad-path-unknown-type": "Onbekannten Typ \"$1\".",
+ "uploadstash-file-not-found-no-thumb": "D'Miniaturbild konnt net erofgeluede ginn.",
"uploadstash-no-extension": "Erweiderung ass eidel (null).",
"uploadstash-zero-length": "Fichier huet d'Gréisst null.",
"img-auth-accessdenied": "Zougang refuséiert",
"shown-title": "Parādīt $1 {{PLURAL:$1|rezultātus|rezultātu|rezultātus}} vienā lapā",
"viewprevnext": "Skatīt ($1 {{int:pipe-separator}} $2) ($3 vienā lapā).",
"searchmenu-exists": "'''Šajā projektā ir raksts ar nosaukumu \"[[:$1]]\"'''",
- "searchmenu-new": "'''Izveido rakstu \"[[:$1]]\" šajā projektā!'''",
+ "searchmenu-new": "<strong>Izveido lapu \"[[:$1]]\" šajā projektā!</strong> {{PLURAL:$2|0=|Apskati arī meklēšanā atrasto lapu.|Apskati arī meklēšanā atrastos rezultātus.}}",
"searchprofile-articles": "Rakstos",
"searchprofile-images": "Multivides failos",
"searchprofile-everything": "Visur",
"nosuchusershort": "Não existe um usuário com o nome \"$1\". Verifique o nome que introduziu.",
"nouserspecified": "Você precisa especificar um nome de usuário.",
"login-userblocked": "Este usuário está bloqueado. Entrada proibida.",
- "wrongpassword": "A senha que introduziu é inválida. Por favor, tente novamente.",
+ "wrongpassword": "Nome de usuário ou senha incorretos inseridos.\nPor favor, tente novamente.",
"wrongpasswordempty": "Foi fornecida uma senha em branco.\nTente novamente.",
"passwordtooshort": "As senhas devem ter no mínimo {{PLURAL:$1|1 caractere|$1 caracteres}}.",
"passwordtoolong": "Senhas não podem ser maiores do que {{PLURAL:$1|1 caractere|$1 caracteres}}.",
"uploadstash-refresh": "Обновить список файлов",
"uploadstash-thumbnail": "показать миниатюру",
"uploadstash-exception": "Не удалось сохранить загрузку во временное хранилище ($1): «$2».",
+ "uploadstash-bad-path": "Путь не существует.",
+ "uploadstash-bad-path-invalid": "Путь некорректен.",
+ "uploadstash-bad-path-unknown-type": "Неизвестный тип «$1».",
+ "uploadstash-file-not-found-no-thumb": "Не удалось получить миниатюру.",
+ "uploadstash-zero-length": "Файл нулевой длины.",
"invalid-chunk-offset": "Недопустимое смещение фрагмента",
"img-auth-accessdenied": "Доступ запрещён",
"img-auth-nopathinfo": "Отсутствует <code>PATH_INFO</code>.\nВаш сервер не настроен для передачи этих сведений.\nВозможно, он работает на основе CGI и не поддерживает <code>img_auth</code>.\nСм. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Image_Authorization.",
"nosuchusershort": "Uporabnik z imenom »$1« ne obstaja.\nPreverite črkovanje.",
"nouserspecified": "Prosimo, vpišite uporabniško ime.",
"login-userblocked": "Ta uporabnik je blokiran. Prijava ni dovoljena.",
- "wrongpassword": "Vnesli ste napačno geslo. Prosimo, poskusite znova.",
+ "wrongpassword": "Vnesli ste napačno uporabniško ime ali geslo.\nProsimo, poskusite znova.",
"wrongpasswordempty": "Vpisali ste prazno geslo. Prosimo, poskusite znova.",
"passwordtooshort": "Geslo mora imeti najmanj $1 {{PLURAL:$1|znak|znaka|znake|znakov|znakov}}.",
"passwordtoolong": "Gesla ne morejo biti daljša od {{PLURAL:$1|1 znaka|$1 znakov}}.",
"rcfilters-savedqueries-apply-and-setdefault-label": "Ustvari privzeti filter",
"rcfilters-savedqueries-cancel-label": "Prekliči",
"rcfilters-savedqueries-add-new-title": "Shrani nastavitve trenutnega filtra",
+ "rcfilters-savedqueries-already-saved": "Te filtre ste že shranili. Uporabite svoje nastavitve, da ustvarite nov Shranjen filter.",
"rcfilters-restore-default-filters": "Obnovi privzete filtre",
"rcfilters-clear-all-filters": "Počisti vse filtre",
"rcfilters-show-new-changes": "Ogled najnovejših sprememb",
"uploadstash-refresh": "Osveži seznam datotek",
"uploadstash-thumbnail": "ogled sličice",
"uploadstash-exception": "Nalaganja nismo uspeli shraniti v zalogo ($1): »$2«.",
+ "uploadstash-bad-path": "Pot ne obstaja.",
+ "uploadstash-bad-path-invalid": "Pot ni veljavna.",
+ "uploadstash-bad-path-unknown-type": "Neznana vrsta »$1«.",
+ "uploadstash-bad-path-unrecognized-thumb-name": "Neprepoznano ime sličice.",
+ "uploadstash-bad-path-no-handler": "Za mime $1 datoteke $2 nismo našli nobenega klica.",
+ "uploadstash-bad-path-bad-format": "Ključ »$1« ni pravilne oblike.",
+ "uploadstash-file-not-found": "Ključa »$1« nismo našli v shrambi.",
+ "uploadstash-file-not-found-no-thumb": "Ne moremo pridobiti sličice.",
+ "uploadstash-file-not-found-no-local-path": "Za pomanjšano zadevo ni lokalne poti.",
+ "uploadstash-file-not-found-no-object": "Ne moremo ustvariti lokalnega objekta datoteke za sličico.",
+ "uploadstash-file-not-found-no-remote-thumb": "Pridobivanje sličice je spodletelo: $1\nURL = $2",
+ "uploadstash-file-not-found-missing-content-type": "Manjkajoča glava content-type.",
+ "uploadstash-file-not-found-not-exists": "Ne moremo najti poti ali surove datoteke.",
+ "uploadstash-file-too-large": "Ne moremo streči datoteke, večje od $1 bajtov.",
+ "uploadstash-not-logged-in": "Noben uporabnik ni prijavljen; datoteke morajo pripadati uporabnikom.",
+ "uploadstash-wrong-owner": "Datoteka ($1) ne pripada trenutnemu uporabniku.",
+ "uploadstash-no-such-key": "Ni takšnega ključa ($1), zato ne moremo odstraniti.",
+ "uploadstash-no-extension": "Ni končnice.",
+ "uploadstash-zero-length": "Datoteka ima nično dolžino.",
"invalid-chunk-offset": "Neveljaven odmik delčka",
"img-auth-accessdenied": "Dostop zavrnjen",
"img-auth-nopathinfo": "Manjka PATH_INFO.\nVaš strežnik ne poda te informacije.\nMorda temelji na CGI in ne more podpirati img_auth.\nOglejte si https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Image_Authorization.",
"rcfilters-state-message-subset": "Овај филтер нема ефекта јер су његови резултати укључени са онима {{PLURAL:$2|следећег, ширег филтера|следећих, ширих филтера}} (покушајте са означавањем да бисте их распознали): $1",
"rcfilters-state-message-fullcoverage": "Одабир свих филтера у групи је исто као и одабир ниједног, тако да овај филтер нема ефекта. Група укључује: $1",
"rcfilters-filtergroup-authorship": "Ауторство доприноса",
- "rcfilters-filter-editsbyself-label": "Ваше измене",
+ "rcfilters-filter-editsbyself-label": "Ваше измјене",
"rcfilters-filter-editsbyself-description": "Ваши доприноси.",
- "rcfilters-filter-editsbyother-label": "Измене других",
- "rcfilters-filter-editsbyother-description": "Све измене осим Ваших.",
+ "rcfilters-filter-editsbyother-label": "Измјене других",
+ "rcfilters-filter-editsbyother-description": "Све измјене осим Ваших.",
"rcfilters-filtergroup-userExpLevel": "Корисничка регистрација и искуство",
"rcfilters-filter-user-experience-level-registered-label": "Регистровани",
"rcfilters-filter-user-experience-level-registered-description": "Пријављени уредници.",
"rcfilters-filter-user-experience-level-experienced-description": "Регистровани уредници са више од 500 измена и 30 дана активности.",
"rcfilters-filtergroup-automated": "Аутоматизовани доприноси",
"rcfilters-filter-bots-label": "Бот",
- "rcfilters-filter-bots-description": "Измене направљене аутоматизованим алатима.",
+ "rcfilters-filter-bots-description": "Измјене направљене аутоматизованим алатима.",
"rcfilters-filter-humans-label": "Човек (није бот)",
- "rcfilters-filter-humans-description": "Измене које су направили људи-уредници.",
+ "rcfilters-filter-humans-description": "Измјене које су направили људи-уредници.",
"rcfilters-filtergroup-reviewstatus": "Патролираност",
"rcfilters-filter-patrolled-label": "Патролирано",
- "rcfilters-filter-patrolled-description": "Измене означене као патролиране.",
+ "rcfilters-filter-patrolled-description": "Измјене означене као патролиране.",
"rcfilters-filter-unpatrolled-label": "Непатролирано",
- "rcfilters-filter-unpatrolled-description": "Измене које нису означене као патролиране.",
+ "rcfilters-filter-unpatrolled-description": "Измјене које нису означене као патролиране.",
"rcfilters-filtergroup-significance": "Значај",
"rcfilters-filter-minor-label": "Мање измене",
- "rcfilters-filter-minor-description": "Измене које је аутор означио као мање.",
- "rcfilters-filter-major-label": "Не-мање измене",
- "rcfilters-filter-major-description": "Измене које нису означене као мање.",
+ "rcfilters-filter-minor-description": "Измјене које је аутор означио као мање.",
+ "rcfilters-filter-major-label": "Не-мање измјене",
+ "rcfilters-filter-major-description": "Измјене које нису означене као мање.",
"rcfilters-filtergroup-watchlist": "Странице на списку надгледања",
"rcfilters-filter-watchlist-watched-label": "На списку надгледања",
- "rcfilters-filter-watchlist-watched-description": "Измене страница на Вашем списку надгледања.",
- "rcfilters-filter-watchlist-watchednew-label": "Нове измене на списку надгледања",
- "rcfilters-filter-watchlist-watchednew-description": "Измене страница на списку надгледања које нисте посетили од када су направљене измене.",
+ "rcfilters-filter-watchlist-watched-description": "Измјене страница на Вашем списку надгледања.",
+ "rcfilters-filter-watchlist-watchednew-label": "Нове измјене на списку надгледања",
+ "rcfilters-filter-watchlist-watchednew-description": "Измјене страница на списку надгледања које нисте посјетили од када су направљене измјене.",
"rcfilters-filter-watchlist-notwatched-label": "Није на списку надгледања",
- "rcfilters-filter-watchlist-notwatched-description": "Све осим измена страница на Вашем списку надгледања.",
+ "rcfilters-filter-watchlist-notwatched-description": "Све осим измјена страница на Вашем списку надгледања.",
"rcfilters-filtergroup-watchlistactivity": "Стање на списку надгледања",
"rcfilters-filter-watchlistactivity-unseen-label": "Непогледане измене",
"rcfilters-filter-watchlistactivity-unseen-description": "Измене страница које нисте посетили од када су направљене измене.",
"rcfilters-filter-watchlistactivity-seen-label": "Погледане измене",
"rcfilters-filter-watchlistactivity-seen-description": "Измене страница које сте посетили од када су направљене измене.",
- "rcfilters-filtergroup-changetype": "Ð\92Ñ\80Ñ\81Ñ\82а измене",
+ "rcfilters-filtergroup-changetype": "Тип измÑ\98ене",
"rcfilters-filter-pageedits-label": "Измене страница",
- "rcfilters-filter-pageedits-description": "Измене вики садржаја, расправа, описа категорија…",
+ "rcfilters-filter-pageedits-description": "Измјене вики садржаја, расправа, описа категорија…",
"rcfilters-filter-newpages-label": "Стварање страница",
"rcfilters-filter-newpages-description": "Измене којима се стварају нове странице.",
- "rcfilters-filter-categorization-label": "Измене категорија",
+ "rcfilters-filter-categorization-label": "Измјене категорија",
"rcfilters-filter-categorization-description": "Записи о страницама додатим или уклоњеним из категорија.",
"rcfilters-filter-logactions-label": "Радње забележене у дневницима",
"rcfilters-filter-logactions-description": "Административне акције, стварање налога, брисање страница, отпремања…",
"rcfilters-hideminor-conflicts-typeofchange-global": "Филтер за „мање” измене је у сукобу са једним или више филтера типа измена, зато што одређени типови измена не могу да се означе као „мање”. Сукобљени филтери су означени у подручју Активни филтери, изнад.",
"rcfilters-hideminor-conflicts-typeofchange": "Одређени типови измена не могу да се означе као „мање”, тако да је овај филтер у сукобу са следећим филтерима типа измена: $1",
"rcfilters-typeofchange-conflicts-hideminor": "Овај филтер типа измене је у сукобу са филтером за „мање” измене. Одређени типови измена не могу да се означе као „мање”.",
- "rcfilters-filtergroup-lastRevision": "Последње измене",
- "rcfilters-filter-lastrevision-label": "Последња измена",
+ "rcfilters-filtergroup-lastRevision": "Посљедње измјене",
+ "rcfilters-filter-lastrevision-label": "Посљедња измјена",
"rcfilters-filter-lastrevision-description": "Само најновија измена на страници.",
- "rcfilters-filter-previousrevision-label": "Није последња измена",
- "rcfilters-filter-previousrevision-description": "Све измене које нису „последње измене”.",
+ "rcfilters-filter-previousrevision-label": "Није посљедња измјена",
+ "rcfilters-filter-previousrevision-description": "Све измјене које нису „посљедње измјене”.",
"rcfilters-filter-excluded": "Изостављено",
"rcfilters-tag-prefix-namespace-inverted": "<strong>:није</strong> $1",
"rcfilters-exclude-button-off": "Изостави означено",
"rcfilters-exclude-button-on": "Изостави одабрано",
- "rcfilters-view-tags": "Означене измене",
+ "rcfilters-view-tags": "Означене измјене",
"rcfilters-view-namespaces-tooltip": "Филтер резултата према именском простору",
- "rcfilters-view-tags-tooltip": "Филтрирање резултата према ознаци измене",
+ "rcfilters-view-tags-tooltip": "Филтрирање резултата према ознаци измјене",
"rcfilters-view-return-to-default-tooltip": "Повратак на главни мени",
- "rcfilters-view-tags-help-icon-tooltip": "Сазнајте више о означеним изменама",
+ "rcfilters-view-tags-help-icon-tooltip": "Сазнајте више о означеним измјенама",
"rcfilters-liveupdates-button": "Ажурирања уживо",
"rcfilters-liveupdates-button-title-on": "Искључи ажурирања уживо",
"rcfilters-liveupdates-button-title-off": "Прикажи нове измене уживо",
"rcfilters-watchlist-markseen-button": "Означи све измене као виђене",
- "rcfilters-watchlist-edit-watchlist-button": "Промените Вашу листу надгледаних страница",
+ "rcfilters-watchlist-edit-watchlist-button": "Промените Вашу списак надгледаних страница",
"rcfilters-watchlist-showupdated": "Измене на страницама које нисте посетили од када је измена извршена су <strong>подебљане</strong>, са испуњеним ознакама.",
"rcfilters-preference-label": "Сакриј побољшану верзију скорашњих измена",
"rcfilters-preference-help": "Поништава редизајн интерфејса из 2017. и све алатке додате тада и после.",
$time1 = microtime( true );
+ $badPhpUnit = dirname( __DIR__ ) . '/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php';
+ if ( file_exists( $badPhpUnit ) ) {
+ // @codingStandardsIgnoreStart Generic.Files.LineLength.TooLong
+ // Bad versions of the file are:
+ // https://raw.githubusercontent.com/sebastianbergmann/phpunit/c820f915bfae34e5a836f94967a2a5ea5ef34f21/src/Util/PHP/eval-stdin.php
+ // https://raw.githubusercontent.com/sebastianbergmann/phpunit/3aaddb1c5bd9b9b8d070b4cf120e71c36fd08412/src/Util/PHP/eval-stdin.php
+ // @codingStandardsIgnoreEnd
+ $md5 = md5_file( $badPhpUnit );
+ if ( $md5 === '120ac49800671dc383b6f3709c25c099'
+ || $md5 === '28af792cb38fc9a1b236b91c1aad2876'
+ ) {
+ $success = unlink( $badPhpUnit );
+ if ( $success ) {
+ $this->output( "Removed PHPUnit eval-stdin.php to protect against CVE-2017-9841\n" );
+ } else {
+ $this->error( "Unable to remove $badPhpUnit, you should manually. See CVE-2017-9841" );
+ }
+ }
+ }
+
$shared = $this->hasOption( 'doshared' );
$updates = [ 'core', 'extensions' ];
}
public function execute() {
- global $wgAuth;
-
- if ( !$wgAuth->allowSetLocalPassword() ) {
- $this->error( '$wgAuth does not allow local passwords. Aborting.', true );
- }
-
$passwordFactory = new PasswordFactory();
$passwordFactory->init( RequestContext::getMain()->getConfig() );
'scripts' => [
'resources/src/mediawiki.special/mediawiki.special.preferences.confirmClose.js',
'resources/src/mediawiki.special/mediawiki.special.preferences.convertmessagebox.js',
+ 'resources/src/mediawiki.special/mediawiki.special.preferences.editfont.js',
'resources/src/mediawiki.special/mediawiki.special.preferences.tabs.js',
'resources/src/mediawiki.special/mediawiki.special.preferences.timezone.js',
],
)
);
- // Remove excluded params from the url
- uri.query = this.filtersModel.removeExcludedParams( uri.query );
-
// Reapply unrecognized params and url version
uri.query = $.extend( true, {}, uri.query, unrecognizedParams, { urlversion: '2' } );
--- /dev/null
+/*!
+ * JavaScript for Special:Preferences: editfont field enhancements.
+ */
+( function ( mw, $ ) {
+ $( function () {
+ var widget, lastValue;
+
+ try {
+ widget = OO.ui.infuse( $( '#mw-input-wpeditfont' ) );
+ } catch ( err ) {
+ // This preference could theoretically be disabled ($wgHiddenPrefs)
+ return;
+ }
+
+ // Style options
+ widget.dropdownWidget.menu.items.forEach( function ( item ) {
+ item.$label.addClass( 'mw-editfont-' + item.getData() );
+ } );
+
+ function updateLabel( value ) {
+ // Style selected item label
+ widget.dropdownWidget.$label
+ .removeClass( 'mw-editfont-' + lastValue )
+ .addClass( 'mw-editfont-' + value );
+ lastValue = value;
+ }
+
+ widget.on( 'change', updateLabel );
+ updateLabel( widget.getValue() );
+
+ } );
+}( mediaWiki, jQuery ) );
!! html/parsoid
<table>
-<tbody><tr data-parsoid='{"autoInsertedEnd":true,"autoInsertedStart":true}'><td data-parsoid='{"autoInsertedEnd":true}'> Foo!! </td><td data-parsoid='{"stx_v":"row","autoInsertedEnd":true}'></td></tr>
+<tbody><tr data-parsoid='{"autoInsertedEnd":true,"autoInsertedStart":true}'><td data-parsoid='{"autoInsertedEnd":true}'> Foo!! </td><td data-parsoid='{"stx":"row","autoInsertedEnd":true}'></td></tr>
</tbody></table>
!! end
!! html/parsoid
<table><tbody>
<tr>
-<td data-parsoid='{"startTagSrc":"| ","attrSepSrc":"|","autoInsertedEnd":true}'>[<a rel="mw:ExtLink" href="ftp://%7Cx" data-parsoid='{"stx":"url","a":{"href":"ftp://%7Cx"},"sa":{"href":"ftp://|x"}}'>ftp://%7Cx</a></td><td data-parsoid='{"stx_v":"row","autoInsertedEnd":true}'>]" onmouseover="alert(document.cookie)">test</td></tr></tbody></table>
+<td data-parsoid='{"startTagSrc":"| ","attrSepSrc":"|","autoInsertedEnd":true}'>[<a rel="mw:ExtLink" href="ftp://%7Cx" data-parsoid='{"stx":"url","a":{"href":"ftp://%7Cx"},"sa":{"href":"ftp://|x"}}'>ftp://%7Cx</a></td><td data-parsoid='{"stx":"row","autoInsertedEnd":true}'>]" onmouseover="alert(document.cookie)">test</td></tr></tbody></table>
!! end
!! test
!! html/parsoid
<table>
-<tbody><tr><td> style="color: red !important;" data-contrived="put this here </td><td data-parsoid='{"stx_v":"row","a":{"\"":null},"sa":{"\"":""},"autoInsertedEnd":true}'> foo</td></tr>
+<tbody><tr><td> style="color: red !important;" data-contrived="put this here </td><td data-parsoid='{"stx":"row","a":{"\"":null},"sa":{"\"":""},"autoInsertedEnd":true}'> foo</td></tr>
</tbody></table>
!! end
!! html/parsoid
<table>
-<tbody><tr data-parsoid='{"autoInsertedEnd":true,"autoInsertedStart":true}'><td data-parsoid='{"autoInsertedEnd":true}'> testing <a rel="mw:WikiLink" href="./One" title="One" data-parsoid='{"stx":"piped","a":{"href":"./One"},"sa":{"href":"one"}}'>two</a> | three </td><td data-parsoid='{"stx_v":"row","autoInsertedEnd":true}'> four</td>
-<td data-parsoid='{"a":{"testing":null,"one":null,"two":null},"sa":{"testing":"","one":"","two":""},"autoInsertedEnd":true}'> three </td><td data-parsoid='{"stx_v":"row","autoInsertedEnd":true}'> four</td>
-<td> testing="<a rel="mw:WikiLink" href="./One" title="One" data-parsoid='{"stx":"piped","a":{"href":"./One"},"sa":{"href":"one"}}'>two</a>" | three </td><td data-parsoid='{"stx_v":"row","autoInsertedEnd":true}'> four</td></tr>
+<tbody><tr data-parsoid='{"autoInsertedEnd":true,"autoInsertedStart":true}'><td data-parsoid='{"autoInsertedEnd":true}'> testing <a rel="mw:WikiLink" href="./One" title="One" data-parsoid='{"stx":"piped","a":{"href":"./One"},"sa":{"href":"one"}}'>two</a> | three </td><td data-parsoid='{"stx":"row","autoInsertedEnd":true}'> four</td>
+<td data-parsoid='{"a":{"testing":null,"one":null,"two":null},"sa":{"testing":"","one":"","two":""},"autoInsertedEnd":true}'> three </td><td data-parsoid='{"stx":"row","autoInsertedEnd":true}'> four</td>
+<td> testing="<a rel="mw:WikiLink" href="./One" title="One" data-parsoid='{"stx":"piped","a":{"href":"./One"},"sa":{"href":"one"}}'>two</a>" | three </td><td data-parsoid='{"stx":"row","autoInsertedEnd":true}'> four</td></tr>
</tbody></table>
!! end
<div class="thumb tright"><div class="thumbinner" style="width:182px;"><a href="/wiki/File:Foobar.jpg" class="image"><img alt="This is a link and a bold template." src="http://example.com/images/thumb/3/3a/Foobar.jpg/180px-Foobar.jpg" width="180" height="20" class="thumbimage" srcset="http://example.com/images/thumb/3/3a/Foobar.jpg/270px-Foobar.jpg 1.5x, http://example.com/images/thumb/3/3a/Foobar.jpg/360px-Foobar.jpg 2x" /></a> <div class="thumbcaption"><div class="magnify"><a href="/wiki/File:Foobar.jpg" class="internal" title="Enlarge"></a></div>This is the image caption</div></div></div>
!! html/parsoid
-<figure class="mw-default-size" typeof="mw:Image/Thumb mw:ExpandedAttrs" about="#mwt2" data-parsoid='{"optList":[{"ck":"thumbnail","ak":"thumb"},{"ck":"caption","ak":"This is the image caption"},{"ck":"alt","ak":"alt=This is a [[link]] and a {{echo|''bold template''}}."}]}' data-mw='{"attribs":[["thumbnail",{"html":"thumb"}],["alt",{"html":"alt=This is a <a rel=\"mw:WikiLink\" href=\"./Link\" title=\"Link\" data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"./Link\"},\"sa\":{\"href\":\"link\"},\"dsr\":[65,73,2,2]}'>link</a> and a <i about=\"#mwt1\" typeof=\"mw:Transclusion\" data-parsoid='{\"dsr\":[80,106,null,null],\"pi\":[[{\"k\":\"1\"}]]}' data-mw='{\"parts\":[{\"template\":{\"target\":{\"wt\":\"echo\",\"href\":\"./Template:Echo\"},\"params\":{\"1\":{\"wt\":\"&#39;&#39;bold template&#39;&#39;\"}},\"i\":0}}]}'>bold template</i>."}]]}'><a href="./File:Foobar.jpg" data-parsoid='{"a":{"href":"./File:Foobar.jpg"},"sa":{}}'><img alt="This is a link and a bold template." resource="./File:Foobar.jpg" src="//example.com/images/thumb/3/3a/Foobar.jpg/220px-Foobar.jpg" data-file-width="1941" data-file-height="220" data-file-type="bitmap" height="25" width="220" data-parsoid='{"a":{"alt":"This is a link and a bold template.","resource":"./File:Foobar.jpg","height":"25","width":"220"},"sa":{"alt":"alt=This is a [[link]] and a {{echo|''bold template''}}.","resource":"Image:Foobar.jpg"}}'/></a><figcaption>This is the image caption</figcaption></figure>
+<figure class="mw-default-size" typeof="mw:Image/Thumb mw:ExpandedAttrs" about="#mwt2" data-parsoid='{"optList":[{"ck":"thumbnail","ak":"thumb"},{"ck":"caption","ak":"This is the image caption"},{"ck":"alt","ak":"alt=This is a [[link]] and a {{echo|''bold template''}}."}]}' data-mw='{"attribs":[["thumbnail",{"html":"thumb"}],["alt",{"html":"alt=This is a <a rel=\"mw:WikiLink\" href=\"./Link\" title=\"Link\" data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"./Link\"},\"sa\":{\"href\":\"link\"},\"dsr\":[65,73,2,2]}'>link</a> and a <i about=\"#mwt1\" typeof=\"mw:Transclusion\" data-parsoid='{\"dsr\":[80,106,null,null],\"pi\":[[{\"k\":\"1\"}]]}' data-mw='{\"parts\":[{\"template\":{\"target\":{\"wt\":\"echo\",\"href\":\"./Template:Echo\"},\"params\":{\"1\":{\"wt\":\"&apos;&apos;bold template&apos;&apos;\"}},\"i\":0}}]}'>bold template</i>."}]]}'><a href="./File:Foobar.jpg" data-parsoid='{"a":{"href":"./File:Foobar.jpg"},"sa":{}}'><img alt="This is a link and a bold template." resource="./File:Foobar.jpg" src="//example.com/images/thumb/3/3a/Foobar.jpg/220px-Foobar.jpg" data-file-width="1941" data-file-height="220" data-file-type="bitmap" height="25" width="220" data-parsoid='{"a":{"alt":"This is a link and a bold template.","resource":"./File:Foobar.jpg","height":"25","width":"220"},"sa":{"alt":"alt=This is a [[link]] and a {{echo|''bold template''}}.","resource":"Image:Foobar.jpg"}}'/></a><figcaption>This is the image caption</figcaption></figure>
+!! end
+
+!! test
+Image with table with attributes in caption
+!! options
+parsoid=wt2html,html2html
+!! wikitext
+[[File:Foobar.jpg|thumb|
+{| class="123" |
+|- class="456" |
+| ha
+|}
+]]
+!! html/parsoid
+<figure class="mw-default-size" typeof="mw:Image/Thumb" data-parsoid='{"optList":[{"ck":"thumbnail","ak":"thumb"},{"ck":"caption","ak":"\n{| class=\"123\" |\n|- class=\"456\" |\n| ha\n|}\n"}]}'><a href="./File:Foobar.jpg" data-parsoid='{"a":{"href":"./File:Foobar.jpg"},"sa":{"href":"File:Foobar.jpg"}}'><img resource="./File:Foobar.jpg" src="//example.com/images/thumb/3/3a/Foobar.jpg/220px-Foobar.jpg" data-file-width="1941" data-file-height="220" data-file-type="bitmap" height="25" width="220" data-parsoid='{"a":{"resource":"./File:Foobar.jpg","height":"25","width":"220"},"sa":{"resource":"File:Foobar.jpg"}}'/></a><figcaption>
+<table class="123">
+<tbody><tr class="456" data-parsoid='{"startTagSrc":"|-"}'>
+<td> ha</td></tr>
+</tbody></table>
+</figcaption></figure>
+!! end
+
+!! test
+Image with table with rows from templates in caption
+!! wikitext
+[[File:Foobar.jpg|thumb|
+{|
+{{echo|{{!}} hi}}
+|}
+]]
+!! html/parsoid
+<figure class="mw-default-size" typeof="mw:Image/Thumb" data-parsoid='{"optList":[{"ck":"thumbnail","ak":"thumb"},{"ck":"caption","ak":"\n{|\n{{echo|{{!}} hi}}\n|}\n"}]}'><a href="./File:Foobar.jpg" data-parsoid='{"a":{"href":"./File:Foobar.jpg"},"sa":{"href":"File:Foobar.jpg"}}'><img resource="./File:Foobar.jpg" src="//example.com/images/thumb/3/3a/Foobar.jpg/220px-Foobar.jpg" data-file-width="1941" data-file-height="220" data-file-type="bitmap" height="25" width="220" data-parsoid='{"a":{"resource":"./File:Foobar.jpg","height":"25","width":"220"},"sa":{"resource":"File:Foobar.jpg"}}'/></a><figcaption>
+<table>
+<tbody about="#mwt4" typeof="mw:Transclusion" data-mw='{"parts":[{"template":{"target":{"wt":"echo","href":"./Template:Echo"},"params":{"1":{"wt":"{{!}} hi"}},"i":0}},"\n"]}'><tr><td> hi</td></tr>
+</tbody></table>
+</figcaption></figure>
!! end
!! test
!! options
parsoid=wt2html,wt2wt,html2html
!! wikitext
-[[File:Foobar.svg|thumb|caption|lang=invalid.language.code]]
+[[File:Foobar.svg|thumb|caption|lang=invalid:language:code]]
!! html/php
-<div class="thumb tright"><div class="thumbinner" style="width:182px;"><a href="/wiki/File:Foobar.svg" class="image"><img alt="" src="http://example.com/images/thumb/f/ff/Foobar.svg/180px-Foobar.svg.png" width="180" height="135" class="thumbimage" srcset="http://example.com/images/thumb/f/ff/Foobar.svg/270px-Foobar.svg.png 1.5x, http://example.com/images/thumb/f/ff/Foobar.svg/360px-Foobar.svg.png 2x" /></a> <div class="thumbcaption"><div class="magnify"><a href="/wiki/File:Foobar.svg" class="internal" title="Enlarge"></a></div>lang=invalid.language.code</div></div></div>
+<div class="thumb tright"><div class="thumbinner" style="width:182px;"><a href="/wiki/File:Foobar.svg" class="image"><img alt="" src="http://example.com/images/thumb/f/ff/Foobar.svg/180px-Foobar.svg.png" width="180" height="135" class="thumbimage" srcset="http://example.com/images/thumb/f/ff/Foobar.svg/270px-Foobar.svg.png 1.5x, http://example.com/images/thumb/f/ff/Foobar.svg/360px-Foobar.svg.png 2x" /></a> <div class="thumbcaption"><div class="magnify"><a href="/wiki/File:Foobar.svg" class="internal" title="Enlarge"></a></div>lang=invalid:language:code</div></div></div>
!! html/parsoid
<figure class="mw-default-size" typeof="mw:Image/Thumb"><a href="./File:Foobar.svg"><img resource="./File:Foobar.svg" src="//example.com/images/f/ff/Foobar.svg" data-file-width="240" data-file-height="180" data-file-type="drawing" height="165" width="220"/></a><figcaption>lang=invalid.language.code</figcaption></figure>
<p>all additional text is vanished</p>
!! end
+!! test
+Language converter glossary rules inside attributes (T119158)
+!! options
+language=sr variant=sr-el
+!! wikitext
+-{H|foAjrjvi=>sr-el:" onload="alert(1)" data-foo="}-
+
+[[File:Foobar.jpg|alt=-{}-foAjrjvi-{}-]]
+!! html
+<p>
+</p><p><a href="/wiki/%D0%94%D0%B0%D1%82%D0%BE%D1%82%D0%B5%D0%BA%D0%B0:Foobar.jpg" class="image"><img alt="" onload="alert(1)" data-foo="" src="http://example.com/images/3/3a/Foobar.jpg" width="1941" height="220" /></a>
+</p>
+!! end
+
!! test
Self closed html pairs (T7487)
!! wikitext
<p>Nested: Hello Hong Kong!
</p>
!! html/parsoid
-<p>Nested: <span typeof="mw:LanguageVariant" data-parsoid='{"tSp":[7]}' data-mw-variant='{"twoway":[{"l":"zh-hans","t":"Hi <span typeof=\"mw:LanguageVariant\" data-mw-variant='{\"twoway\":[{\"l\":\"zh-cn\",\"t\":\"China\"},{\"l\":\"zh-sg\",\"t\":\"Singapore\"}]}' data-parsoid='{\"fl\":[],\"tSp\":[7],\"dsr\":[21,53,null,2]}'></span>"},{"l":"zh-hant","t":"Hello <span typeof=\"mw:LanguageVariant\" data-mw-variant='{\"twoway\":[{\"l\":\"zh-tw\",\"t\":\"Taiwan\"},{\"l\":\"zh-hk\",\"t\":\"H&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&#39;{\\\"disabled\\\":{\\\"t\\\":\\\"ong\\\"}}&#39; data-parsoid=&#39;{\\\"fl\\\":[],\\\"dsr\\\":[90,97,null,2]}&#39;>&lt;/span> K&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&#39;{\\\"disabled\\\":{\\\"t\\\":\\\"\\\"}}&#39; data-parsoid=&#39;{\\\"fl\\\":[],\\\"dsr\\\":[99,103,null,2]}&#39;>&lt;/span>ong\"}]}' data-parsoid='{\"fl\":[],\"tSp\":[7],\"dsr\":[68,109,null,2]}'></span>"}]}'></span>!</p>
+<p>Nested: <span typeof="mw:LanguageVariant" data-parsoid='{"tSp":[7]}' data-mw-variant='{"twoway":[{"l":"zh-hans","t":"Hi <span typeof=\"mw:LanguageVariant\" data-mw-variant='{\"twoway\":[{\"l\":\"zh-cn\",\"t\":\"China\"},{\"l\":\"zh-sg\",\"t\":\"Singapore\"}]}' data-parsoid='{\"fl\":[],\"tSp\":[7],\"dsr\":[21,53,null,2]}'></span>"},{"l":"zh-hant","t":"Hello <span typeof=\"mw:LanguageVariant\" data-mw-variant='{\"twoway\":[{\"l\":\"zh-tw\",\"t\":\"Taiwan\"},{\"l\":\"zh-hk\",\"t\":\"H&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&apos;{\\\"disabled\\\":{\\\"t\\\":\\\"ong\\\"}}&apos; data-parsoid=&apos;{\\\"fl\\\":[],\\\"dsr\\\":[90,97,null,2]}&apos;>&lt;/span> K&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&apos;{\\\"disabled\\\":{\\\"t\\\":\\\"\\\"}}&apos; data-parsoid=&apos;{\\\"fl\\\":[],\\\"dsr\\\":[99,103,null,2]}&apos;>&lt;/span>ong\"}]}' data-parsoid='{\"fl\":[],\"tSp\":[7],\"dsr\":[68,109,null,2]}'></span>"}]}'></span>!</p>
!! end
!! test
<p><span title="X">A</span>
</p>
!! html/parsoid
-<p><span typeof="mw:LanguageVariant" data-mw-variant='{"filter":{"l":["zh","zh-hans","zh-hant"],"t":"<span title=\"\" about=\"#mwt1\" typeof=\"mw:ExpandedAttrs\" data-parsoid='{\"stx\":\"html\",\"a\":{\"title\":\"\"},\"sa\":{\"title\":\"-{X}-\"},\"dsr\":[21,49,20,7]}' data-mw='{\"attribs\":[[{\"txt\":\"title\"},{\"html\":\"&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&#39;{\\\"disabled\\\":{\\\"t\\\":\\\"X\\\"}}&#39; data-parsoid=&#39;{\\\"fl\\\":[],\\\"dsr\\\":[34,39,null,2]}&#39;>&lt;/span>\"}]]}'>A</span>"}}'></span></p>
+<p><span typeof="mw:LanguageVariant" data-mw-variant='{"filter":{"l":["zh","zh-hans","zh-hant"],"t":"<span title=\"\" about=\"#mwt1\" typeof=\"mw:ExpandedAttrs\" data-parsoid='{\"stx\":\"html\",\"a\":{\"title\":\"\"},\"sa\":{\"title\":\"-{X}-\"},\"dsr\":[21,49,20,7]}' data-mw='{\"attribs\":[[{\"txt\":\"title\"},{\"html\":\"&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&apos;{\\\"disabled\\\":{\\\"t\\\":\\\"X\\\"}}&apos; data-parsoid=&apos;{\\\"fl\\\":[],\\\"dsr\\\":[34,39,null,2]}&apos;>&lt;/span>\"}]]}'>A</span>"}}'></span></p>
!! end
!! test
<p><span title="X">A</span>
</p>
!! html/parsoid
-<p><span typeof="mw:LanguageVariant" data-mw-variant='{"disabled":{"t":"<span title=\"\" about=\"#mwt1\" typeof=\"mw:ExpandedAttrs\" data-parsoid='{\"stx\":\"html\",\"a\":{\"title\":\"\"},\"sa\":{\"title\":\"-{X}-\"},\"dsr\":[2,30,20,7]}' data-mw='{\"attribs\":[[{\"txt\":\"title\"},{\"html\":\"&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&#39;{\\\"disabled\\\":{\\\"t\\\":\\\"X\\\"}}&#39; data-parsoid=&#39;{\\\"fl\\\":[],\\\"dsr\\\":[15,20,null,2]}&#39;>&lt;/span>\"}]]}'>A</span>"}}'></span></p>
+<p><span typeof="mw:LanguageVariant" data-mw-variant='{"disabled":{"t":"<span title=\"\" about=\"#mwt1\" typeof=\"mw:ExpandedAttrs\" data-parsoid='{\"stx\":\"html\",\"a\":{\"title\":\"\"},\"sa\":{\"title\":\"-{X}-\"},\"dsr\":[2,30,20,7]}' data-mw='{\"attribs\":[[{\"txt\":\"title\"},{\"html\":\"&lt;span typeof=\\\"mw:LanguageVariant\\\" data-mw-variant=&apos;{\\\"disabled\\\":{\\\"t\\\":\\\"X\\\"}}&apos; data-parsoid=&apos;{\\\"fl\\\":[],\\\"dsr\\\":[15,20,null,2]}&apos;>&lt;/span>\"}]]}'>A</span>"}}'></span></p>
!! end
# Parsoid and PHP disagree on how to parse this example: Parsoid
<tbody>
<tr><td>a
b
-</td><td data-parsoid='{"stx_v":"row"}'>c</td></tr>
+</td><td data-parsoid='{"stx":"row"}'>c</td></tr>
<tr><td><p>x</p>
-</td><td data-parsoid='{"stx_v":"row", "startTagSrc": "{{!}}{{!}}"}'>y</td></tr>
+</td><td data-parsoid='{"stx":"row", "startTagSrc": "{{!}}{{!}}"}'>y</td></tr>
</tbody></table>
<table>
<tbody>
<tr><th>a
b
-</th><th data-parsoid='{"stx_v":"row"}'>c</th></tr>
+</th><th data-parsoid='{"stx":"row"}'>c</th></tr>
<tr><th><p>x</h>
-</th><th data-parsoid='{"stx_v":"row"}'>y</th></tr>
+</th><th data-parsoid='{"stx":"row"}'>y</th></tr>
</tbody></table>
!! wikitext
{|
/** Helper */
protected function prefsFor( $user_key ) {
- // TODO This should use Preferences::getPreferences() instead of calling internal methods.
- // Unfortunately that currently ignores the $user parameter if it has cached data, even for
- // a different user...
- OutputPage::setupOOUI(
- strtolower( $this->context->getSkin()->getSkinName() ),
- $this->context->getLanguage()->getDir()
- );
- $preferences = [];
- Preferences::profilePreferences(
+ return Preferences::getPreferences(
$this->prefUsers[$user_key],
- $this->context,
- $preferences
+ $this->context
);
-
- return $preferences;
}
}
+++ /dev/null
-<?php
-
-/**
- * @todo Tests covering decodeCharReferences can be refactored into a single
- * method and dataprovider.
- *
- * @group Sanitizer
- */
-class SanitizerTest extends MediaWikiTestCase {
-
- protected function tearDown() {
- MWTidy::destroySingleton();
- parent::tearDown();
- }
-
- /**
- * @covers Sanitizer::decodeCharReferences
- */
- public function testDecodeNamedEntities() {
- $this->assertEquals(
- "\xc3\xa9cole",
- Sanitizer::decodeCharReferences( 'école' ),
- 'decode named entities'
- );
- }
-
- /**
- * @covers Sanitizer::decodeCharReferences
- */
- public function testDecodeNumericEntities() {
- $this->assertEquals(
- "\xc4\x88io bonas dans l'\xc3\xa9cole!",
- Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ),
- 'decode numeric entities'
- );
- }
-
- /**
- * @covers Sanitizer::decodeCharReferences
- */
- public function testDecodeMixedEntities() {
- $this->assertEquals(
- "\xc4\x88io bonas dans l'\xc3\xa9cole!",
- Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ),
- 'decode mixed numeric/named entities'
- );
- }
-
- /**
- * @covers Sanitizer::decodeCharReferences
- */
- public function testDecodeMixedComplexEntities() {
- $this->assertEquals(
- "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)",
- Sanitizer::decodeCharReferences(
- "Ĉio bonas dans l'école! (mais pas &#x108;io dans l'&eacute;cole)"
- ),
- 'decode mixed complex entities'
- );
- }
-
- /**
- * @covers Sanitizer::decodeCharReferences
- */
- public function testInvalidAmpersand() {
- $this->assertEquals(
- 'a & b',
- Sanitizer::decodeCharReferences( 'a & b' ),
- 'Invalid ampersand'
- );
- }
-
- /**
- * @covers Sanitizer::decodeCharReferences
- */
- public function testInvalidEntities() {
- $this->assertEquals(
- '&foo;',
- Sanitizer::decodeCharReferences( '&foo;' ),
- 'Invalid named entity'
- );
- }
-
- /**
- * @covers Sanitizer::decodeCharReferences
- */
- public function testInvalidNumberedEntities() {
- $this->assertEquals(
- UtfNormal\Constants::UTF8_REPLACEMENT,
- Sanitizer::decodeCharReferences( "�" ),
- 'Invalid numbered entity'
- );
- }
-
- /**
- * @covers Sanitizer::removeHTMLtags
- * @dataProvider provideHtml5Tags
- *
- * @param string $tag Name of an HTML5 element (ie: 'video')
- * @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '<video>')
- */
- public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
- MWTidy::setInstance( false );
-
- if ( $escaped ) {
- $this->assertEquals( "<$tag>",
- Sanitizer::removeHTMLtags( "<$tag>" )
- );
- } else {
- $this->assertEquals( "<$tag></$tag>\n",
- Sanitizer::removeHTMLtags( "<$tag>" )
- );
- }
- }
-
- /**
- * Provide HTML5 tags
- */
- public static function provideHtml5Tags() {
- $ESCAPED = true; # We want tag to be escaped
- $VERBATIM = false; # We want to keep the tag
- return [
- [ 'data', $VERBATIM ],
- [ 'mark', $VERBATIM ],
- [ 'time', $VERBATIM ],
- [ 'video', $ESCAPED ],
- ];
- }
-
- function dataRemoveHTMLtags() {
- return [
- // former testSelfClosingTag
- [
- '<div>Hello world</div />',
- '<div>Hello world</div>',
- 'Self-closing closing div'
- ],
- // Make sure special nested HTML5 semantics are not broken
- // https://html.spec.whatwg.org/multipage/semantics.html#the-kbd-element
- [
- '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
- '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
- 'Nested <kbd>.'
- ],
- // https://html.spec.whatwg.org/multipage/semantics.html#the-sub-and-sup-elements
- [
- '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
- '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
- 'Nested <var>.'
- ],
- // https://html.spec.whatwg.org/multipage/semantics.html#the-dfn-element
- [
- '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
- '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
- '<abbr> inside <dfn>',
- ],
- ];
- }
-
- /**
- * @dataProvider dataRemoveHTMLtags
- * @covers Sanitizer::removeHTMLtags
- */
- public function testRemoveHTMLtags( $input, $output, $msg = null ) {
- MWTidy::setInstance( false );
- $this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
- }
-
- /**
- * @dataProvider provideTagAttributesToDecode
- * @covers Sanitizer::decodeTagAttributes
- */
- public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
- $this->assertEquals( $expected,
- Sanitizer::decodeTagAttributes( $attributes ),
- $message
- );
- }
-
- public static function provideTagAttributesToDecode() {
- return [
- [ [ 'foo' => 'bar' ], 'foo=bar', 'Unquoted attribute' ],
- [ [ 'עברית' => 'bar' ], 'עברית=bar', 'Non-Latin attribute' ],
- [ [ '६' => 'bar' ], '६=bar', 'Devanagari number' ],
- [ [ '搭𨋢' => 'bar' ], '搭𨋢=bar', 'Non-BMP character' ],
- [ [], 'ńgh=bar', 'Combining accent is not allowed' ],
- [ [ 'foo' => 'bar' ], ' foo = bar ', 'Spaced attribute' ],
- [ [ 'foo' => 'bar' ], 'foo="bar"', 'Double-quoted attribute' ],
- [ [ 'foo' => 'bar' ], 'foo=\'bar\'', 'Single-quoted attribute' ],
- [
- [ 'foo' => 'bar', 'baz' => 'foo' ],
- 'foo=\'bar\' baz="foo"',
- 'Several attributes'
- ],
- [
- [ 'foo' => 'bar', 'baz' => 'foo' ],
- 'foo=\'bar\' baz="foo"',
- 'Several attributes'
- ],
- [
- [ 'foo' => 'bar', 'baz' => 'foo' ],
- 'foo=\'bar\' baz="foo"',
- 'Several attributes'
- ],
- [ [ ':foo' => 'bar' ], ':foo=\'bar\'', 'Leading :' ],
- [ [ '_foo' => 'bar' ], '_foo=\'bar\'', 'Leading _' ],
- [ [ 'foo' => 'bar' ], 'Foo=\'bar\'', 'Leading capital' ],
- [ [ 'foo' => 'BAR' ], 'FOO=BAR', 'Attribute keys are normalized to lowercase' ],
-
- # Invalid beginning
- [ [], '-foo=bar', 'Leading - is forbidden' ],
- [ [], '.foo=bar', 'Leading . is forbidden' ],
- [ [ 'foo-bar' => 'bar' ], 'foo-bar=bar', 'A - is allowed inside the attribute' ],
- [ [ 'foo-' => 'bar' ], 'foo-=bar', 'A - is allowed inside the attribute' ],
- [ [ 'foo.bar' => 'baz' ], 'foo.bar=baz', 'A . is allowed inside the attribute' ],
- [ [ 'foo.' => 'baz' ], 'foo.=baz', 'A . is allowed as last character' ],
- [ [ 'foo6' => 'baz' ], 'foo6=baz', 'Numbers are allowed' ],
-
- # This bit is more relaxed than XML rules, but some extensions use
- # it, like ProofreadPage (see T29539)
- [ [ '1foo' => 'baz' ], '1foo=baz', 'Leading numbers are allowed' ],
- [ [], 'foo$=baz', 'Symbols are not allowed' ],
- [ [], 'foo@=baz', 'Symbols are not allowed' ],
- [ [], 'foo~=baz', 'Symbols are not allowed' ],
- [
- [ 'foo' => '1[#^`*%w/(' ],
- 'foo=1[#^`*%w/(',
- 'All kind of characters are allowed as values'
- ],
- [
- [ 'foo' => '1[#^`*%\'w/(' ],
- 'foo="1[#^`*%\'w/("',
- 'Double quotes are allowed if quoted by single quotes'
- ],
- [
- [ 'foo' => '1[#^`*%"w/(' ],
- 'foo=\'1[#^`*%"w/(\'',
- 'Single quotes are allowed if quoted by double quotes'
- ],
- [ [ 'foo' => '&"' ], 'foo=&"', 'Special chars can be provided as entities' ],
- [ [ 'foo' => '&foobar;' ], 'foo=&foobar;', 'Entity-like items are accepted' ],
- ];
- }
-
- /**
- * @dataProvider provideDeprecatedAttributes
- * @covers Sanitizer::fixTagAttributes
- */
- public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
- $this->assertEquals( " $inputAttr",
- Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
- $message
- );
- }
-
- public static function provideDeprecatedAttributes() {
- /** [ <attribute>, <element>, [message] ] */
- return [
- [ 'clear="left"', 'br' ],
- [ 'clear="all"', 'br' ],
- [ 'width="100"', 'td' ],
- [ 'nowrap="true"', 'td' ],
- [ 'nowrap=""', 'td' ],
- [ 'align="right"', 'td' ],
- [ 'align="center"', 'table' ],
- [ 'align="left"', 'tr' ],
- [ 'align="center"', 'div' ],
- [ 'align="left"', 'h1' ],
- [ 'align="left"', 'p' ],
- ];
- }
-
- /**
- * @dataProvider provideCssCommentsFixtures
- * @covers Sanitizer::checkCss
- */
- public function testCssCommentsChecking( $expected, $css, $message = '' ) {
- $this->assertEquals( $expected,
- Sanitizer::checkCss( $css ),
- $message
- );
- }
-
- public static function provideCssCommentsFixtures() {
- /** [ <expected>, <css>, [message] ] */
- return [
- // Valid comments spanning entire input
- [ '/**/', '/**/' ],
- [ '/* comment */', '/* comment */' ],
- // Weird stuff
- [ ' ', '/****/' ],
- [ ' ', '/* /* */' ],
- [ 'display: block;', "display:/* foo */block;" ],
- [ 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
- 'Backslash-escaped comments must be stripped (T30450)' ],
- [ '', '/* unfinished comment structure',
- 'Remove anything after a comment-start token' ],
- [ '', "\\2f\\2a unifinished comment'",
- 'Remove anything after a backslash-escaped comment-start token' ],
- [
- '/* insecure input */',
- 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader'
- . '(src=\'asdf.png\',sizingMethod=\'scale\');'
- ],
- [
- '/* insecure input */',
- '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader'
- . '(src=\'asdf.png\',sizingMethod=\'scale\')";'
- ],
- [ '/* insecure input */', 'width: expression(1+1);' ],
- [ '/* insecure input */', 'background-image: image(asdf.png);' ],
- [ '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ],
- [ '/* insecure input */', 'background-image: -moz-image(asdf.png);' ],
- [ '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ],
- [
- '/* insecure input */',
- 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'
- ],
- [
- '/* insecure input */',
- 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
- ],
- [ '/* insecure input */', 'foo: attr( title, url );' ],
- [ '/* insecure input */', 'foo: attr( title url );' ],
- ];
- }
-
- /**
- * @dataProvider provideEscapeHtmlAllowEntities
- * @covers Sanitizer::escapeHtmlAllowEntities
- */
- public function testEscapeHtmlAllowEntities( $expected, $html ) {
- $this->assertEquals(
- $expected,
- Sanitizer::escapeHtmlAllowEntities( $html )
- );
- }
-
- public static function provideEscapeHtmlAllowEntities() {
- return [
- [ 'foo', 'foo' ],
- [ 'a¡b', 'a¡b' ],
- [ 'foo'bar', "foo'bar" ],
- [ '<script>foo</script>', '<script>foo</script>' ],
- ];
- }
-
- /**
- * Test Sanitizer::escapeId
- *
- * @dataProvider provideEscapeId
- * @covers Sanitizer::escapeId
- */
- public function testEscapeId( $input, $output ) {
- $this->assertEquals(
- $output,
- Sanitizer::escapeId( $input, [ 'noninitial', 'legacy' ] )
- );
- }
-
- public static function provideEscapeId() {
- return [
- [ '+', '.2B' ],
- [ '&', '.26' ],
- [ '=', '.3D' ],
- [ ':', ':' ],
- [ ';', '.3B' ],
- [ '@', '.40' ],
- [ '$', '.24' ],
- [ '-_.', '-_.' ],
- [ '!', '.21' ],
- [ '*', '.2A' ],
- [ '/', '.2F' ],
- [ '[]', '.5B.5D' ],
- [ '<>', '.3C.3E' ],
- [ '\'', '.27' ],
- [ '§', '.C2.A7' ],
- [ 'Test:A & B/Here', 'Test:A_.26_B.2FHere' ],
- [ 'A&B&C&amp;D&amp;amp;E', 'A.26B.26amp.3BC.26amp.3Bamp.3BD.26amp.3Bamp.3Bamp.3BE' ],
- ];
- }
-
- /**
- * Test escapeIdReferenceList for consistency with escapeIdForAttribute
- *
- * @dataProvider provideEscapeIdReferenceList
- * @covers Sanitizer::escapeIdReferenceList
- */
- public function testEscapeIdReferenceList( $referenceList, $id1, $id2 ) {
- $this->assertEquals(
- Sanitizer::escapeIdReferenceList( $referenceList ),
- Sanitizer::escapeIdForAttribute( $id1 )
- . ' '
- . Sanitizer::escapeIdForAttribute( $id2 )
- );
- }
-
- public static function provideEscapeIdReferenceList() {
- /** [ <reference list>, <individual id 1>, <individual id 2> ] */
- return [
- [ 'foo bar', 'foo', 'bar' ],
- [ '#1 #2', '#1', '#2' ],
- [ '+1 +2', '+1', '+2' ],
- ];
- }
-
- /**
- * @dataProvider provideIsReservedDataAttribute
- */
- public function testIsReservedDataAttribute( $attr, $expected ) {
- $this->assertSame( $expected, Sanitizer::isReservedDataAttribute( $attr ) );
- }
-
- public static function provideIsReservedDataAttribute() {
- return [
- [ 'foo', false ],
- [ 'data', false ],
- [ 'data-foo', false ],
- [ 'data-mw', true ],
- [ 'data-ooui', true ],
- [ 'data-parsoid', true ],
- [ 'data-mw-foo', true ],
- [ 'data-ooui-foo', true ],
- [ 'data-mwfoo', true ], // could be false but this is how it's implemented currently
- ];
- }
-
- /**
- * @dataProvider provideEscapeIdForStuff
- *
- * @covers Sanitizer::escapeIdForAttribute()
- * @covers Sanitizer::escapeIdForLink()
- * @covers Sanitizer::escapeIdForExternalInterwiki()
- * @covers Sanitizer::escapeIdInternal()
- *
- * @param string $stuff
- * @param string[] $config
- * @param string $id
- * @param string|false $expected
- * @param int|null $mode
- */
- public function testEscapeIdForStuff( $stuff, array $config, $id, $expected, $mode = null ) {
- $func = "Sanitizer::escapeIdFor{$stuff}";
- $iwFlavor = array_pop( $config );
- $this->setMwGlobals( [
- 'wgFragmentMode' => $config,
- 'wgExternalInterwikiFragmentMode' => $iwFlavor,
- ] );
- $escaped = call_user_func( $func, $id, $mode );
- self::assertEquals( $expected, $escaped );
- }
-
- public function provideEscapeIdForStuff() {
- // Test inputs and outputs
- $text = 'foo тест_#%!\'()[]:<>&&&amp;';
- $legacyEncoded = 'foo_.D1.82.D0.B5.D1.81.D1.82_.23.25.21.27.28.29.5B.5D:.3C.3E' .
- '.26.26amp.3B.26amp.3Bamp.3B';
- $html5Encoded = 'foo_тест_#%!\'()[]:<>&&&amp;';
- $html5Experimental = 'foo_тест_!_()[]:<>_amp;_amp;amp;';
-
- // Settings: last element is $wgExternalInterwikiFragmentMode, the rest is $wgFragmentMode
- $legacy = [ 'legacy', 'legacy' ];
- $legacyNew = [ 'legacy', 'html5', 'legacy' ];
- $newLegacy = [ 'html5', 'legacy', 'legacy' ];
- $new = [ 'html5', 'legacy' ];
- $allNew = [ 'html5', 'html5' ];
- $experimentalLegacy = [ 'html5-legacy', 'legacy', 'legacy' ];
- $newExperimental = [ 'html5', 'html5-legacy', 'legacy' ];
-
- return [
- // Pure legacy: how MW worked before 2017
- [ 'Attribute', $legacy, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
- [ 'Attribute', $legacy, $text, false, Sanitizer::ID_FALLBACK ],
- [ 'Link', $legacy, $text, $legacyEncoded ],
- [ 'ExternalInterwiki', $legacy, $text, $legacyEncoded ],
-
- // Transition to a new world: legacy links with HTML5 fallback
- [ 'Attribute', $legacyNew, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
- [ 'Attribute', $legacyNew, $text, $html5Encoded, Sanitizer::ID_FALLBACK ],
- [ 'Link', $legacyNew, $text, $legacyEncoded ],
- [ 'ExternalInterwiki', $legacyNew, $text, $legacyEncoded ],
-
- // New world: HTML5 links, legacy fallbacks
- [ 'Attribute', $newLegacy, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
- [ 'Attribute', $newLegacy, $text, $legacyEncoded, Sanitizer::ID_FALLBACK ],
- [ 'Link', $newLegacy, $text, $html5Encoded ],
- [ 'ExternalInterwiki', $newLegacy, $text, $legacyEncoded ],
-
- // Distant future: no legacy fallbacks, but still linking to leagacy wikis
- [ 'Attribute', $new, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
- [ 'Attribute', $new, $text, false, Sanitizer::ID_FALLBACK ],
- [ 'Link', $new, $text, $html5Encoded ],
- [ 'ExternalInterwiki', $new, $text, $legacyEncoded ],
-
- // Just before the heat death of universe: external interwikis are also HTML5 \m/
- [ 'Attribute', $allNew, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
- [ 'Attribute', $allNew, $text, false, Sanitizer::ID_FALLBACK ],
- [ 'Link', $allNew, $text, $html5Encoded ],
- [ 'ExternalInterwiki', $allNew, $text, $html5Encoded ],
-
- // Someone flipped $wgExperimentalHtmlIds on
- [ 'Attribute', $experimentalLegacy, $text, $html5Experimental, Sanitizer::ID_PRIMARY ],
- [ 'Attribute', $experimentalLegacy, $text, $legacyEncoded, Sanitizer::ID_FALLBACK ],
- [ 'Link', $experimentalLegacy, $text, $html5Experimental ],
- [ 'ExternalInterwiki', $experimentalLegacy, $text, $legacyEncoded ],
-
- // Migration from $wgExperimentalHtmlIds to modern HTML5
- [ 'Attribute', $newExperimental, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
- [ 'Attribute', $newExperimental, $text, $html5Experimental, Sanitizer::ID_FALLBACK ],
- [ 'Link', $newExperimental, $text, $html5Encoded ],
- [ 'ExternalInterwiki', $newExperimental, $text, $legacyEncoded ],
- ];
- }
-
- /**
- * @expectedException InvalidArgumentException
- * @covers Sanitizer::escapeIdInternal()
- */
- public function testInvalidFragmentThrows() {
- $this->setMwGlobals( 'wgFragmentMode', [ 'boom!' ] );
- Sanitizer::escapeIdForAttribute( 'This should throw' );
- }
-
- /**
- * @expectedException UnexpectedValueException
- * @covers Sanitizer::escapeIdForAttribute()
- */
- public function testNoPrimaryFragmentModeThrows() {
- $this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
- Sanitizer::escapeIdForAttribute( 'This should throw' );
- }
-
- /**
- * @expectedException UnexpectedValueException
- * @covers Sanitizer::escapeIdForLink()
- */
- public function testNoPrimaryFragmentModeThrows2() {
- $this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
- Sanitizer::escapeIdForLink( 'This should throw' );
- }
-}
$this->mUserMock->expects( $this->never() )
->method( 'resetOptions' );
- $this->mUserMock->expects( $this->at( 2 ) )
- ->method( 'getOptions' );
-
- $this->mUserMock->expects( $this->at( 5 ) )
+ $this->mUserMock->expects( $this->exactly( 3 ) )
->method( 'setOption' )
- ->with( $this->equalTo( 'willBeNull' ), $this->identicalTo( null ) );
-
- $this->mUserMock->expects( $this->at( 6 ) )
- ->method( 'getOptions' );
-
- $this->mUserMock->expects( $this->at( 7 ) )
- ->method( 'setOption' )
- ->with( $this->equalTo( 'willBeEmpty' ), $this->equalTo( '' ) );
-
- $this->mUserMock->expects( $this->at( 8 ) )
- ->method( 'getOptions' );
-
- $this->mUserMock->expects( $this->at( 9 ) )
- ->method( 'setOption' )
- ->with( $this->equalTo( 'willBeHappy' ), $this->equalTo( 'Happy' ) );
+ ->withConsecutive(
+ [ $this->equalTo( 'willBeNull' ), $this->identicalTo( null ) ],
+ [ $this->equalTo( 'willBeEmpty' ), $this->equalTo( '' ) ],
+ [ $this->equalTo( 'willBeHappy' ), $this->equalTo( 'Happy' ) ]
+ );
$this->mUserMock->expects( $this->once() )
->method( 'saveSettings' );
$this->mUserMock->expects( $this->once() )
->method( 'resetOptions' );
- $this->mUserMock->expects( $this->at( 5 ) )
- ->method( 'getOptions' );
-
- $this->mUserMock->expects( $this->at( 6 ) )
- ->method( 'setOption' )
- ->with( $this->equalTo( 'willBeHappy' ), $this->equalTo( 'Happy' ) );
-
- $this->mUserMock->expects( $this->at( 7 ) )
- ->method( 'getOptions' );
-
- $this->mUserMock->expects( $this->at( 8 ) )
+ $this->mUserMock->expects( $this->exactly( 2 ) )
->method( 'setOption' )
- ->with( $this->equalTo( 'name' ), $this->equalTo( 'value' ) );
+ ->withConsecutive(
+ [ $this->equalTo( 'willBeHappy' ), $this->equalTo( 'Happy' ) ],
+ [ $this->equalTo( 'name' ), $this->equalTo( 'value' ) ]
+ );
$this->mUserMock->expects( $this->once() )
->method( 'saveSettings' );
$this->mUserMock->expects( $this->never() )
->method( 'resetOptions' );
- $this->mUserMock->expects( $this->at( 4 ) )
- ->method( 'setOption' )
- ->with( $this->equalTo( 'testmultiselect-opt1' ), $this->identicalTo( true ) );
-
- $this->mUserMock->expects( $this->at( 5 ) )
- ->method( 'setOption' )
- ->with( $this->equalTo( 'testmultiselect-opt2' ), $this->identicalTo( null ) );
-
- $this->mUserMock->expects( $this->at( 6 ) )
- ->method( 'setOption' )
- ->with( $this->equalTo( 'testmultiselect-opt3' ), $this->identicalTo( false ) );
-
- $this->mUserMock->expects( $this->at( 7 ) )
+ $this->mUserMock->expects( $this->exactly( 4 ) )
->method( 'setOption' )
- ->with( $this->equalTo( 'testmultiselect-opt4' ), $this->identicalTo( false ) );
+ ->withConsecutive(
+ [ $this->equalTo( 'testmultiselect-opt1' ), $this->identicalTo( true ) ],
+ [ $this->equalTo( 'testmultiselect-opt2' ), $this->identicalTo( null ) ],
+ [ $this->equalTo( 'testmultiselect-opt3' ), $this->identicalTo( false ) ],
+ [ $this->equalTo( 'testmultiselect-opt4' ), $this->identicalTo( false ) ]
+ );
$this->mUserMock->expects( $this->once() )
->method( 'saveSettings' );
);
$provider = new AuthPluginPrimaryAuthenticationProvider( $plugin );
- \Hooks::run( 'UserGroupsChanged', [ $user, [ 'added' ], [ 'removed' ] ] );
+ \Hooks::run( 'UserGroupsChanged', [ $user, [ 'added' ], [ 'removed' ], false, false, [], [] ] );
}
public function testOnUserLoggedIn() {
$req->password = 'DoesNotExist';
$ret = $provider->beginPrimaryAuthentication( $reqs );
$this->assertEquals(
- AuthenticationResponse::newAbstain(),
- $provider->beginPrimaryAuthentication( $reqs )
+ AuthenticationResponse::FAIL,
+ $ret->status
+ );
+ $this->assertEquals(
+ 'wrongpassword',
+ $ret->message->getKey()
);
// Validation failure
*/
class SvgTest extends MediaWikiMediaTestCase {
+ /**
+ * @var SvgHandler
+ */
+ private $handler;
+
protected function setUp() {
parent::setUp();
[ 'Wikimedia-logo.svg', [] ]
];
}
+
+ /**
+ * @param string $userPreferredLanguage
+ * @param array $svgLanguages
+ * @param string $expectedMatch
+ * @dataProvider providerGetMatchedLanguage
+ * @covers SvgHandler::getMatchedLanguage
+ */
+ public function testGetMatchedLanguage( $userPreferredLanguage, $svgLanguages, $expectedMatch ) {
+ $match = $this->handler->getMatchedLanguage( $userPreferredLanguage, $svgLanguages );
+ $this->assertEquals( $expectedMatch, $match );
+ }
+
+ public function providerGetMatchedLanguage() {
+ return [
+ 'no match' => [
+ 'userPreferredLanguage' => 'en',
+ 'svgLanguages' => [ 'de-DE', 'zh', 'ga', 'fr', 'sr-Latn-ME' ],
+ 'expectedMatch' => null,
+ ],
+ 'no subtags' => [
+ 'userPreferredLanguage' => 'en',
+ 'svgLanguages' => [ 'de', 'zh', 'en', 'fr' ],
+ 'expectedMatch' => 'en',
+ ],
+ 'user no subtags, svg 1 subtag' => [
+ 'userPreferredLanguage' => 'en',
+ 'svgLanguages' => [ 'de-DE', 'en-GB', 'en-US', 'fr' ],
+ 'expectedMatch' => 'en-GB',
+ ],
+ 'user no subtags, svg >1 subtag' => [
+ 'userPreferredLanguage' => 'sr',
+ 'svgLanguages' => [ 'de-DE', 'sr-Cyrl-BA', 'sr-Latn-ME', 'en-US', 'fr' ],
+ 'expectedMatch' => 'sr-Cyrl-BA',
+ ],
+ 'user 1 subtag, svg no subtags' => [
+ 'userPreferredLanguage' => 'en-US',
+ 'svgLanguages' => [ 'de', 'en', 'en', 'fr' ],
+ 'expectedMatch' => null,
+ ],
+ 'user 1 subtag, svg 1 subtag' => [
+ 'userPreferredLanguage' => 'en-US',
+ 'svgLanguages' => [ 'de-DE', 'en-GB', 'en-US', 'fr' ],
+ 'expectedMatch' => 'en-US',
+ ],
+ 'user 1 subtag, svg >1 subtag' => [
+ 'userPreferredLanguage' => 'sr-Latn',
+ 'svgLanguages' => [ 'de-DE', 'sr-Cyrl-BA', 'sr-Latn-ME', 'fr' ],
+ 'expectedMatch' => 'sr-Latn-ME',
+ ],
+ 'user >1 subtag, svg >1 subtag' => [
+ 'userPreferredLanguage' => 'sr-Latn-ME',
+ 'svgLanguages' => [ 'de-DE', 'sr-Cyrl-BA', 'sr-Latn-ME', 'en-US', 'fr' ],
+ 'expectedMatch' => 'sr-Latn-ME',
+ ],
+ 'user >1 subtag, svg <=1 subtag' => [
+ 'userPreferredLanguage' => 'sr-Latn-ME',
+ 'svgLanguages' => [ 'de-DE', 'sr-Cyrl', 'sr-Latn', 'en-US', 'fr' ],
+ 'expectedMatch' => null,
+ ],
+ 'ensure case-insensitive' => [
+ 'userPreferredLanguage' => 'sr-latn',
+ 'svgLanguages' => [ 'de-DE', 'sr-Cyrl', 'sr-Latn-ME', 'en-US', 'fr' ],
+ 'expectedMatch' => 'sr-Latn-ME',
+ ],
+ ];
+ }
}
--- /dev/null
+<?php
+
+/**
+ * @todo Tests covering decodeCharReferences can be refactored into a single
+ * method and dataprovider.
+ *
+ * @group Sanitizer
+ */
+class SanitizerTest extends MediaWikiTestCase {
+
+ protected function tearDown() {
+ MWTidy::destroySingleton();
+ parent::tearDown();
+ }
+
+ /**
+ * @covers Sanitizer::decodeCharReferences
+ */
+ public function testDecodeNamedEntities() {
+ $this->assertEquals(
+ "\xc3\xa9cole",
+ Sanitizer::decodeCharReferences( 'école' ),
+ 'decode named entities'
+ );
+ }
+
+ /**
+ * @covers Sanitizer::decodeCharReferences
+ */
+ public function testDecodeNumericEntities() {
+ $this->assertEquals(
+ "\xc4\x88io bonas dans l'\xc3\xa9cole!",
+ Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ),
+ 'decode numeric entities'
+ );
+ }
+
+ /**
+ * @covers Sanitizer::decodeCharReferences
+ */
+ public function testDecodeMixedEntities() {
+ $this->assertEquals(
+ "\xc4\x88io bonas dans l'\xc3\xa9cole!",
+ Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ),
+ 'decode mixed numeric/named entities'
+ );
+ }
+
+ /**
+ * @covers Sanitizer::decodeCharReferences
+ */
+ public function testDecodeMixedComplexEntities() {
+ $this->assertEquals(
+ "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)",
+ Sanitizer::decodeCharReferences(
+ "Ĉio bonas dans l'école! (mais pas &#x108;io dans l'&eacute;cole)"
+ ),
+ 'decode mixed complex entities'
+ );
+ }
+
+ /**
+ * @covers Sanitizer::decodeCharReferences
+ */
+ public function testInvalidAmpersand() {
+ $this->assertEquals(
+ 'a & b',
+ Sanitizer::decodeCharReferences( 'a & b' ),
+ 'Invalid ampersand'
+ );
+ }
+
+ /**
+ * @covers Sanitizer::decodeCharReferences
+ */
+ public function testInvalidEntities() {
+ $this->assertEquals(
+ '&foo;',
+ Sanitizer::decodeCharReferences( '&foo;' ),
+ 'Invalid named entity'
+ );
+ }
+
+ /**
+ * @covers Sanitizer::decodeCharReferences
+ */
+ public function testInvalidNumberedEntities() {
+ $this->assertEquals(
+ UtfNormal\Constants::UTF8_REPLACEMENT,
+ Sanitizer::decodeCharReferences( "�" ),
+ 'Invalid numbered entity'
+ );
+ }
+
+ /**
+ * @covers Sanitizer::removeHTMLtags
+ * @dataProvider provideHtml5Tags
+ *
+ * @param string $tag Name of an HTML5 element (ie: 'video')
+ * @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '<video>')
+ */
+ public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
+ MWTidy::setInstance( false );
+
+ if ( $escaped ) {
+ $this->assertEquals( "<$tag>",
+ Sanitizer::removeHTMLtags( "<$tag>" )
+ );
+ } else {
+ $this->assertEquals( "<$tag></$tag>\n",
+ Sanitizer::removeHTMLtags( "<$tag>" )
+ );
+ }
+ }
+
+ /**
+ * Provide HTML5 tags
+ */
+ public static function provideHtml5Tags() {
+ $ESCAPED = true; # We want tag to be escaped
+ $VERBATIM = false; # We want to keep the tag
+ return [
+ [ 'data', $VERBATIM ],
+ [ 'mark', $VERBATIM ],
+ [ 'time', $VERBATIM ],
+ [ 'video', $ESCAPED ],
+ ];
+ }
+
+ function dataRemoveHTMLtags() {
+ return [
+ // former testSelfClosingTag
+ [
+ '<div>Hello world</div />',
+ '<div>Hello world</div>',
+ 'Self-closing closing div'
+ ],
+ // Make sure special nested HTML5 semantics are not broken
+ // https://html.spec.whatwg.org/multipage/semantics.html#the-kbd-element
+ [
+ '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
+ '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
+ 'Nested <kbd>.'
+ ],
+ // https://html.spec.whatwg.org/multipage/semantics.html#the-sub-and-sup-elements
+ [
+ '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
+ '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
+ 'Nested <var>.'
+ ],
+ // https://html.spec.whatwg.org/multipage/semantics.html#the-dfn-element
+ [
+ '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
+ '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
+ '<abbr> inside <dfn>',
+ ],
+ ];
+ }
+
+ /**
+ * @dataProvider dataRemoveHTMLtags
+ * @covers Sanitizer::removeHTMLtags
+ */
+ public function testRemoveHTMLtags( $input, $output, $msg = null ) {
+ MWTidy::setInstance( false );
+ $this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
+ }
+
+ /**
+ * @dataProvider provideTagAttributesToDecode
+ * @covers Sanitizer::decodeTagAttributes
+ */
+ public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
+ $this->assertEquals( $expected,
+ Sanitizer::decodeTagAttributes( $attributes ),
+ $message
+ );
+ }
+
+ public static function provideTagAttributesToDecode() {
+ return [
+ [ [ 'foo' => 'bar' ], 'foo=bar', 'Unquoted attribute' ],
+ [ [ 'עברית' => 'bar' ], 'עברית=bar', 'Non-Latin attribute' ],
+ [ [ '६' => 'bar' ], '६=bar', 'Devanagari number' ],
+ [ [ '搭𨋢' => 'bar' ], '搭𨋢=bar', 'Non-BMP character' ],
+ [ [], 'ńgh=bar', 'Combining accent is not allowed' ],
+ [ [ 'foo' => 'bar' ], ' foo = bar ', 'Spaced attribute' ],
+ [ [ 'foo' => 'bar' ], 'foo="bar"', 'Double-quoted attribute' ],
+ [ [ 'foo' => 'bar' ], 'foo=\'bar\'', 'Single-quoted attribute' ],
+ [
+ [ 'foo' => 'bar', 'baz' => 'foo' ],
+ 'foo=\'bar\' baz="foo"',
+ 'Several attributes'
+ ],
+ [
+ [ 'foo' => 'bar', 'baz' => 'foo' ],
+ 'foo=\'bar\' baz="foo"',
+ 'Several attributes'
+ ],
+ [
+ [ 'foo' => 'bar', 'baz' => 'foo' ],
+ 'foo=\'bar\' baz="foo"',
+ 'Several attributes'
+ ],
+ [ [ ':foo' => 'bar' ], ':foo=\'bar\'', 'Leading :' ],
+ [ [ '_foo' => 'bar' ], '_foo=\'bar\'', 'Leading _' ],
+ [ [ 'foo' => 'bar' ], 'Foo=\'bar\'', 'Leading capital' ],
+ [ [ 'foo' => 'BAR' ], 'FOO=BAR', 'Attribute keys are normalized to lowercase' ],
+
+ # Invalid beginning
+ [ [], '-foo=bar', 'Leading - is forbidden' ],
+ [ [], '.foo=bar', 'Leading . is forbidden' ],
+ [ [ 'foo-bar' => 'bar' ], 'foo-bar=bar', 'A - is allowed inside the attribute' ],
+ [ [ 'foo-' => 'bar' ], 'foo-=bar', 'A - is allowed inside the attribute' ],
+ [ [ 'foo.bar' => 'baz' ], 'foo.bar=baz', 'A . is allowed inside the attribute' ],
+ [ [ 'foo.' => 'baz' ], 'foo.=baz', 'A . is allowed as last character' ],
+ [ [ 'foo6' => 'baz' ], 'foo6=baz', 'Numbers are allowed' ],
+
+ # This bit is more relaxed than XML rules, but some extensions use
+ # it, like ProofreadPage (see T29539)
+ [ [ '1foo' => 'baz' ], '1foo=baz', 'Leading numbers are allowed' ],
+ [ [], 'foo$=baz', 'Symbols are not allowed' ],
+ [ [], 'foo@=baz', 'Symbols are not allowed' ],
+ [ [], 'foo~=baz', 'Symbols are not allowed' ],
+ [
+ [ 'foo' => '1[#^`*%w/(' ],
+ 'foo=1[#^`*%w/(',
+ 'All kind of characters are allowed as values'
+ ],
+ [
+ [ 'foo' => '1[#^`*%\'w/(' ],
+ 'foo="1[#^`*%\'w/("',
+ 'Double quotes are allowed if quoted by single quotes'
+ ],
+ [
+ [ 'foo' => '1[#^`*%"w/(' ],
+ 'foo=\'1[#^`*%"w/(\'',
+ 'Single quotes are allowed if quoted by double quotes'
+ ],
+ [ [ 'foo' => '&"' ], 'foo=&"', 'Special chars can be provided as entities' ],
+ [ [ 'foo' => '&foobar;' ], 'foo=&foobar;', 'Entity-like items are accepted' ],
+ ];
+ }
+
+ /**
+ * @dataProvider provideDeprecatedAttributes
+ * @covers Sanitizer::fixTagAttributes
+ */
+ public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
+ $this->assertEquals( " $inputAttr",
+ Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
+ $message
+ );
+ }
+
+ public static function provideDeprecatedAttributes() {
+ /** [ <attribute>, <element>, [message] ] */
+ return [
+ [ 'clear="left"', 'br' ],
+ [ 'clear="all"', 'br' ],
+ [ 'width="100"', 'td' ],
+ [ 'nowrap="true"', 'td' ],
+ [ 'nowrap=""', 'td' ],
+ [ 'align="right"', 'td' ],
+ [ 'align="center"', 'table' ],
+ [ 'align="left"', 'tr' ],
+ [ 'align="center"', 'div' ],
+ [ 'align="left"', 'h1' ],
+ [ 'align="left"', 'p' ],
+ ];
+ }
+
+ /**
+ * @dataProvider provideCssCommentsFixtures
+ * @covers Sanitizer::checkCss
+ */
+ public function testCssCommentsChecking( $expected, $css, $message = '' ) {
+ $this->assertEquals( $expected,
+ Sanitizer::checkCss( $css ),
+ $message
+ );
+ }
+
+ public static function provideCssCommentsFixtures() {
+ /** [ <expected>, <css>, [message] ] */
+ return [
+ // Valid comments spanning entire input
+ [ '/**/', '/**/' ],
+ [ '/* comment */', '/* comment */' ],
+ // Weird stuff
+ [ ' ', '/****/' ],
+ [ ' ', '/* /* */' ],
+ [ 'display: block;', "display:/* foo */block;" ],
+ [ 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
+ 'Backslash-escaped comments must be stripped (T30450)' ],
+ [ '', '/* unfinished comment structure',
+ 'Remove anything after a comment-start token' ],
+ [ '', "\\2f\\2a unifinished comment'",
+ 'Remove anything after a backslash-escaped comment-start token' ],
+ [
+ '/* insecure input */',
+ 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader'
+ . '(src=\'asdf.png\',sizingMethod=\'scale\');'
+ ],
+ [
+ '/* insecure input */',
+ '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader'
+ . '(src=\'asdf.png\',sizingMethod=\'scale\')";'
+ ],
+ [ '/* insecure input */', 'width: expression(1+1);' ],
+ [ '/* insecure input */', 'background-image: image(asdf.png);' ],
+ [ '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ],
+ [ '/* insecure input */', 'background-image: -moz-image(asdf.png);' ],
+ [ '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ],
+ [
+ '/* insecure input */',
+ 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'
+ ],
+ [
+ '/* insecure input */',
+ 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
+ ],
+ [ '/* insecure input */', 'foo: attr( title, url );' ],
+ [ '/* insecure input */', 'foo: attr( title url );' ],
+ ];
+ }
+
+ /**
+ * @dataProvider provideEscapeHtmlAllowEntities
+ * @covers Sanitizer::escapeHtmlAllowEntities
+ */
+ public function testEscapeHtmlAllowEntities( $expected, $html ) {
+ $this->assertEquals(
+ $expected,
+ Sanitizer::escapeHtmlAllowEntities( $html )
+ );
+ }
+
+ public static function provideEscapeHtmlAllowEntities() {
+ return [
+ [ 'foo', 'foo' ],
+ [ 'a¡b', 'a¡b' ],
+ [ 'foo'bar', "foo'bar" ],
+ [ '<script>foo</script>', '<script>foo</script>' ],
+ ];
+ }
+
+ /**
+ * Test Sanitizer::escapeId
+ *
+ * @dataProvider provideEscapeId
+ * @covers Sanitizer::escapeId
+ */
+ public function testEscapeId( $input, $output ) {
+ $this->assertEquals(
+ $output,
+ Sanitizer::escapeId( $input, [ 'noninitial', 'legacy' ] )
+ );
+ }
+
+ public static function provideEscapeId() {
+ return [
+ [ '+', '.2B' ],
+ [ '&', '.26' ],
+ [ '=', '.3D' ],
+ [ ':', ':' ],
+ [ ';', '.3B' ],
+ [ '@', '.40' ],
+ [ '$', '.24' ],
+ [ '-_.', '-_.' ],
+ [ '!', '.21' ],
+ [ '*', '.2A' ],
+ [ '/', '.2F' ],
+ [ '[]', '.5B.5D' ],
+ [ '<>', '.3C.3E' ],
+ [ '\'', '.27' ],
+ [ '§', '.C2.A7' ],
+ [ 'Test:A & B/Here', 'Test:A_.26_B.2FHere' ],
+ [ 'A&B&C&amp;D&amp;amp;E', 'A.26B.26amp.3BC.26amp.3Bamp.3BD.26amp.3Bamp.3Bamp.3BE' ],
+ ];
+ }
+
+ /**
+ * Test escapeIdReferenceList for consistency with escapeIdForAttribute
+ *
+ * @dataProvider provideEscapeIdReferenceList
+ * @covers Sanitizer::escapeIdReferenceList
+ */
+ public function testEscapeIdReferenceList( $referenceList, $id1, $id2 ) {
+ $this->assertEquals(
+ Sanitizer::escapeIdReferenceList( $referenceList ),
+ Sanitizer::escapeIdForAttribute( $id1 )
+ . ' '
+ . Sanitizer::escapeIdForAttribute( $id2 )
+ );
+ }
+
+ public static function provideEscapeIdReferenceList() {
+ /** [ <reference list>, <individual id 1>, <individual id 2> ] */
+ return [
+ [ 'foo bar', 'foo', 'bar' ],
+ [ '#1 #2', '#1', '#2' ],
+ [ '+1 +2', '+1', '+2' ],
+ ];
+ }
+
+ /**
+ * @dataProvider provideIsReservedDataAttribute
+ */
+ public function testIsReservedDataAttribute( $attr, $expected ) {
+ $this->assertSame( $expected, Sanitizer::isReservedDataAttribute( $attr ) );
+ }
+
+ public static function provideIsReservedDataAttribute() {
+ return [
+ [ 'foo', false ],
+ [ 'data', false ],
+ [ 'data-foo', false ],
+ [ 'data-mw', true ],
+ [ 'data-ooui', true ],
+ [ 'data-parsoid', true ],
+ [ 'data-mw-foo', true ],
+ [ 'data-ooui-foo', true ],
+ [ 'data-mwfoo', true ], // could be false but this is how it's implemented currently
+ ];
+ }
+
+ /**
+ * @dataProvider provideEscapeIdForStuff
+ *
+ * @covers Sanitizer::escapeIdForAttribute()
+ * @covers Sanitizer::escapeIdForLink()
+ * @covers Sanitizer::escapeIdForExternalInterwiki()
+ * @covers Sanitizer::escapeIdInternal()
+ *
+ * @param string $stuff
+ * @param string[] $config
+ * @param string $id
+ * @param string|false $expected
+ * @param int|null $mode
+ */
+ public function testEscapeIdForStuff( $stuff, array $config, $id, $expected, $mode = null ) {
+ $func = "Sanitizer::escapeIdFor{$stuff}";
+ $iwFlavor = array_pop( $config );
+ $this->setMwGlobals( [
+ 'wgFragmentMode' => $config,
+ 'wgExternalInterwikiFragmentMode' => $iwFlavor,
+ ] );
+ $escaped = call_user_func( $func, $id, $mode );
+ self::assertEquals( $expected, $escaped );
+ }
+
+ public function provideEscapeIdForStuff() {
+ // Test inputs and outputs
+ $text = 'foo тест_#%!\'()[]:<>&&&amp;';
+ $legacyEncoded = 'foo_.D1.82.D0.B5.D1.81.D1.82_.23.25.21.27.28.29.5B.5D:.3C.3E' .
+ '.26.26amp.3B.26amp.3Bamp.3B';
+ $html5Encoded = 'foo_тест_#%!\'()[]:<>&&&amp;';
+ $html5Experimental = 'foo_тест_!_()[]:<>_amp;_amp;amp;';
+
+ // Settings: last element is $wgExternalInterwikiFragmentMode, the rest is $wgFragmentMode
+ $legacy = [ 'legacy', 'legacy' ];
+ $legacyNew = [ 'legacy', 'html5', 'legacy' ];
+ $newLegacy = [ 'html5', 'legacy', 'legacy' ];
+ $new = [ 'html5', 'legacy' ];
+ $allNew = [ 'html5', 'html5' ];
+ $experimentalLegacy = [ 'html5-legacy', 'legacy', 'legacy' ];
+ $newExperimental = [ 'html5', 'html5-legacy', 'legacy' ];
+
+ return [
+ // Pure legacy: how MW worked before 2017
+ [ 'Attribute', $legacy, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
+ [ 'Attribute', $legacy, $text, false, Sanitizer::ID_FALLBACK ],
+ [ 'Link', $legacy, $text, $legacyEncoded ],
+ [ 'ExternalInterwiki', $legacy, $text, $legacyEncoded ],
+
+ // Transition to a new world: legacy links with HTML5 fallback
+ [ 'Attribute', $legacyNew, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
+ [ 'Attribute', $legacyNew, $text, $html5Encoded, Sanitizer::ID_FALLBACK ],
+ [ 'Link', $legacyNew, $text, $legacyEncoded ],
+ [ 'ExternalInterwiki', $legacyNew, $text, $legacyEncoded ],
+
+ // New world: HTML5 links, legacy fallbacks
+ [ 'Attribute', $newLegacy, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
+ [ 'Attribute', $newLegacy, $text, $legacyEncoded, Sanitizer::ID_FALLBACK ],
+ [ 'Link', $newLegacy, $text, $html5Encoded ],
+ [ 'ExternalInterwiki', $newLegacy, $text, $legacyEncoded ],
+
+ // Distant future: no legacy fallbacks, but still linking to leagacy wikis
+ [ 'Attribute', $new, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
+ [ 'Attribute', $new, $text, false, Sanitizer::ID_FALLBACK ],
+ [ 'Link', $new, $text, $html5Encoded ],
+ [ 'ExternalInterwiki', $new, $text, $legacyEncoded ],
+
+ // Just before the heat death of universe: external interwikis are also HTML5 \m/
+ [ 'Attribute', $allNew, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
+ [ 'Attribute', $allNew, $text, false, Sanitizer::ID_FALLBACK ],
+ [ 'Link', $allNew, $text, $html5Encoded ],
+ [ 'ExternalInterwiki', $allNew, $text, $html5Encoded ],
+
+ // Someone flipped $wgExperimentalHtmlIds on
+ [ 'Attribute', $experimentalLegacy, $text, $html5Experimental, Sanitizer::ID_PRIMARY ],
+ [ 'Attribute', $experimentalLegacy, $text, $legacyEncoded, Sanitizer::ID_FALLBACK ],
+ [ 'Link', $experimentalLegacy, $text, $html5Experimental ],
+ [ 'ExternalInterwiki', $experimentalLegacy, $text, $legacyEncoded ],
+
+ // Migration from $wgExperimentalHtmlIds to modern HTML5
+ [ 'Attribute', $newExperimental, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
+ [ 'Attribute', $newExperimental, $text, $html5Experimental, Sanitizer::ID_FALLBACK ],
+ [ 'Link', $newExperimental, $text, $html5Encoded ],
+ [ 'ExternalInterwiki', $newExperimental, $text, $legacyEncoded ],
+ ];
+ }
+
+ /**
+ * @dataProvider provideStripAllTags
+ *
+ * @covers Sanitizer::stripAllTags()
+ *
+ * @param string $input
+ * @param string $expected
+ */
+ public function testStripAllTags( $input, $expected ) {
+ $this->assertEquals( $expected, Sanitizer::stripAllTags( $input ) );
+ }
+
+ public function provideStripAllTags() {
+ return [
+ [ '<p>Foo</p>', 'Foo' ],
+ [ '<p id="one">Foo</p><p id="two">Bar</p>', 'FooBar' ],
+ [ "<p>Foo</p>\n<p>Bar</p>", 'Foo Bar' ],
+ [ '<p>Hello <strong> world café</p>', 'Hello <strong> world café' ],
+ // This one is broken, see T179978
+ //[
+ // '<p><small data-foo=\'bar"<baz>quux\'><a href="./Foo">Bar</a></small> Whee!</p>',
+ // 'Bar Whee!'
+ //],
+ [ '1<span class="<?php">2</span>3', '123' ],
+ [ '1<span class="<?">2</span>3', '123' ],
+ ];
+ }
+
+ /**
+ * @expectedException InvalidArgumentException
+ * @covers Sanitizer::escapeIdInternal()
+ */
+ public function testInvalidFragmentThrows() {
+ $this->setMwGlobals( 'wgFragmentMode', [ 'boom!' ] );
+ Sanitizer::escapeIdForAttribute( 'This should throw' );
+ }
+
+ /**
+ * @expectedException UnexpectedValueException
+ * @covers Sanitizer::escapeIdForAttribute()
+ */
+ public function testNoPrimaryFragmentModeThrows() {
+ $this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
+ Sanitizer::escapeIdForAttribute( 'This should throw' );
+ }
+
+ /**
+ * @expectedException UnexpectedValueException
+ * @covers Sanitizer::escapeIdForLink()
+ */
+ public function testNoPrimaryFragmentModeThrows2() {
+ $this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
+ Sanitizer::escapeIdForLink( 'This should throw' );
+ }
+}
$wgRequest->setVal( 'variant', null );
$this->assertEquals( 'tg', $this->lc->getPreferredVariant() );
}
+
+ /**
+ * Test exhausting pcre.backtrack_limit
+ */
+ public function testAutoConvertT124404() {
+ $testString = '';
+ for ( $i = 0; $i < 1000; $i++ ) {
+ $testString .= 'xxx xxx xxx';
+ }
+ $testString .= "\n<big id='в'></big>";
+ $old = ini_set( 'pcre.backtrack_limit', 200 );
+ $result = $this->lc->autoConvert( $testString, 'tg-latn' );
+ ini_set( 'pcre.backtrack_limit', $old );
+ // The в in the id attribute should not get converted to a v
+ $this->assertFalse(
+ strpos( $result, 'v' ),
+ "в converted to v despite being in attribue"
+ );
+ }
}
/**
{ name: 'filter5', cssClass: 'filter5class' },
{ name: 'filter6' } // Not supporting highlights
]
- }, {
- name: 'group4',
- title: 'Group 4',
- type: 'boolean',
- isSticky: true,
- filters: [
- { name: 'stickyFilter7', cssClass: 'filter7class' },
- { name: 'stickyFilter8', cssClass: 'filter8class' }
- ]
} ],
minimalDefaultParams = {
filter1: '1',
{ urlversion: '2', filter2: '1', group3: 'filter5', foo: 'bar' },
'Model state is reflected in the updated URI with existing uri params'
);
-
- // Update the model with sticky filter
- filtersModel.toggleFiltersSelected( {
- group4__stickyFilter7: true
- } );
-
- assert.deepEqual(
- ( uriProcessor.getUpdatedUri( {} ) ).query,
- { urlversion: '2', filter2: '1', group3: 'filter5' },
- 'Sticky parameters are not reflected in the URI query'
- );
} );
QUnit.test( 'updateModelBasedOnQuery', function ( assert ) {
dépôts / lhc / web / wiklou.git / commitdiff