* HTML sanitizer for %MediaWiki.
*
* Copyright © 2002-2005 Brion Vibber <brion@pobox.com> et al
- * http://www.mediawiki.org/
+ * https://www.mediawiki.org/
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
# Remove the comment, leading and trailing
# spaces, and leave only one newline.
$text = substr_replace( $text, "\n", $spaceStart, $spaceLen + 1 );
- }
- else {
+ } else {
# Remove just the comment.
$text = substr_replace( $text, '', $start, $end - $start );
}
// Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
$value = preg_replace_callback(
- '/[ï¼\81-ï½\9a]/u', // U+FF01 to U+FF5A
+ '/[ï¼\81-[]-ï½\9a]/u', // U+FF01 to U+FF5A, excluding U+FF3C (bug 58088)
function ( $matches ) {
$cp = utf8ToCodepoint( $matches[0] );
if ( $cp === false ) {
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
} elseif ( preg_match(
- '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix',
- $value
- ) ) {
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
return '/* insecure input */';
}
return $value;
* HTML5 definition of id attribute
*
* @param string $id id to escape
- * @param $options Mixed: string or array of strings (default is array()):
+ * @param string|array $options String or array of strings (default is array()):
* 'noninitial': This is a non-initial fragment of an id, not a full id,
* so don't pay attention if the first character isn't valid at the
* beginning of an id. Only matters if $wgExperimentalHtmlIds is
* This allows (generally harmless) entities like   to survive.
*
* @param string $html HTML to escape
- * @return string: escaped input
+ * @return string Escaped input
*/
static function escapeHtmlAllowEntities( $html ) {
$html = Sanitizer::decodeCharReferences( $html );
array( 'Sanitizer', 'normalizeCharReferencesCallback' ),
$text );
}
+
/**
* @param string $matches
* @return string
$rfc5322_atext = "a-z0-9!#$%&'*+\\-\/=?^_`{|}~";
$rfc1034_ldh_str = "a-z0-9\\-";
- $HTML5_email_regexp = "/
+ $html5_email_regexp = "/
^ # start of string
[$rfc5322_atext\\.]+ # user part which is liberal :p
@ # 'apostrophe'
$ # End of string
/ix"; // case Insensitive, eXtended
- return (bool)preg_match( $HTML5_email_regexp, $addr );
+ return (bool)preg_match( $html5_email_regexp, $addr );
}
}