// Silly XML.
return substr( $start, 0, -1 ) . '/>';
} else {
- return "$start$contents" . self::closeElement( $element );
+ return $start . $contents . self::closeElement( $element );
}
}
// consistency and better compression.
$element = strtolower( $element );
+ // Some people were abusing this by passing things like
+ // 'h1 id="foo" to $element, which we don't want.
+ if ( strpos( $element, ' ' ) !== false ) {
+ wfWarn( __METHOD__ . " given element name with space '$element'" );
+ }
+
// Remove invalid input types
if ( $element == 'input' ) {
$validTypes = [
$attrs = [];
if ( $nonce !== null ) {
$attrs['nonce'] = $nonce;
- } else {
- if ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
- wfWarn( "no nonce set on script. CSP will break it" );
- }
+ } elseif ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
+ wfWarn( "no nonce set on script. CSP will break it" );
}
if ( preg_match( '/<\/?script/i', $contents ) ) {
$attrs = [ 'src' => $url ];
if ( $nonce !== null ) {
$attrs['nonce'] = $nonce;
- } else {
- if ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
- wfWarn( "no nonce set on script. CSP will break it" );
- }
+ } elseif ( ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() ) ) {
+ wfWarn( "no nonce set on script. CSP will break it" );
}
return self::element( 'script', $attrs );
if ( $isXHTML ) { // XHTML5
// XML MIME-typed markup should have an xml header.
// However a DOCTYPE is not needed.
- $ret .= "<?xml version=\"1.0\" encoding=\"UTF-8\" ?" . ">\n";
+ $ret .= "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n";
// Add the standard xmlns
$attribs['xmlns'] = 'http://www.w3.org/1999/xhtml';
$attribs["xmlns:$tag"] = $ns;
}
} else { // HTML5
- // DOCTYPE
$ret .= "<!DOCTYPE html>\n";
}