From 5bcd4708470455c89fd332a4ec212c340631258f Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Sun, 9 May 2004 12:04:59 +0000 Subject: [PATCH] Add $wgUserHtml option; set to false to disable use of user-supplied HTML in wiki markup. Note that , 
,  etc are
 counted as wiki markup. That 
 looks like HTML's 
 is a coincidence;
 they behave differently (
 also disables other wiki markup like 
 does).

Also, escape the  tag when $wgUseTeX is off.
---
 includes/DefaultSettings.php |  4 +++
 includes/Parser.php          | 52 ++++++++++++++++++++++--------------
 2 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index ba13146618..a9383a1955 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -368,6 +368,10 @@ $wgSpamRegex = false;
 # Go button goes straight to the edit screen if the article doesn't exist
 $wgGoToEdit = false;
 
+# Allow limited user-specified HTML?
+# It will be run through a whitelist for security.
+$wgUserHtml = true;
+
 # Optional: use tidy to make sure the output is sane, switch on by setting $wgUseTidy = true;
 $wgUseTidy = false;
 $wgTidyBin = 'tidy';
diff --git a/includes/Parser.php b/includes/Parser.php
index 9efab38c05..b5924c7304 100644
--- a/includes/Parser.php
+++ b/includes/Parser.php
@@ -220,8 +220,12 @@ class Parser
 
 		$text = Parser::extractTags("math", $text, $math_content, $uniq_prefix);
 		foreach( $math_content as $marker => $content ){
-			if( $render && $this->mOptions->getUseTeX() ){
-				$math_content[$marker] = renderMath( $content );
+			if( $render ) {
+				if( $this->mOptions->getUseTeX() ) {
+					$math_content[$marker] = renderMath( $content );
+				} else {
+					$math_content[$marker] = "<math>$content<math>";
+				}
 			} else {
 				$math_content[$marker] = "$content";
 			}
@@ -1540,26 +1544,34 @@ class Parser
 	# Cleans up HTML, removes dangerous tags and attributes
 	/* private */ function removeHTMLtags( $text )
 	{
-		global $wgUseTidy;
+		global $wgUseTidy, $wgUserHtml;
 		$fname = "Parser::removeHTMLtags";
 		wfProfileIn( $fname );
-		$htmlpairs = array( # Tags that must be closed
-			"b", "del", "i", "ins", "u", "font", "big", "small", "sub", "sup", "h1",
-			"h2", "h3", "h4", "h5", "h6", "cite", "code", "em", "s",
-			"strike", "strong", "tt", "var", "div", "center",
-			"blockquote", "ol", "ul", "dl", "table", "caption", "pre",
-			"ruby", "rt" , "rb" , "rp", "p"
-		);
-		$htmlsingle = array(
-			"br", "hr", "li", "dt", "dd"
-		);
-		$htmlnest = array( # Tags that can be nested--??
-			"table", "tr", "td", "th", "div", "blockquote", "ol", "ul",
-			"dl", "font", "big", "small", "sub", "sup"
-		);
-		$tabletags = array( # Can only appear inside table
-			"td", "th", "tr"
-		);
+		
+		if( $wgUserHtml ) {
+			$htmlpairs = array( # Tags that must be closed
+				"b", "del", "i", "ins", "u", "font", "big", "small", "sub", "sup", "h1",
+				"h2", "h3", "h4", "h5", "h6", "cite", "code", "em", "s",
+				"strike", "strong", "tt", "var", "div", "center",
+				"blockquote", "ol", "ul", "dl", "table", "caption", "pre",
+				"ruby", "rt" , "rb" , "rp", "p"
+			);
+			$htmlsingle = array(
+				"br", "hr", "li", "dt", "dd"
+			);
+			$htmlnest = array( # Tags that can be nested--??
+				"table", "tr", "td", "th", "div", "blockquote", "ol", "ul",
+				"dl", "font", "big", "small", "sub", "sup"
+			);
+			$tabletags = array( # Can only appear inside table
+				"td", "th", "tr"
+			);
+		} else {
+			$htmlpairs = array();
+			$htmlsingle = array();
+			$htmlnest = array();
+			$tabletags = array();
+		}
 
 		$htmlsingle = array_merge( $tabletags, $htmlsingle );
 		$htmlelements = array_merge( $htmlsingle, $htmlpairs );
-- 
2.20.1