From 2fcb5285c31edf8c5dd2f15fbe819d0dcd857893 Mon Sep 17 00:00:00 2001 From: Ilmari Karonen Date: Tue, 18 Jan 2011 19:39:13 +0000 Subject: [PATCH] bug 26781: make wfEscapeWikiText() escape "*", "#", ";" and ":" at the beginning of the output and after line feeds. Also make escaping of "{", "}" and "=" more thorough and rewrite to use strtr() instead of str_replace() and htmlspecialchars(). --- RELEASE-NOTES | 1 + includes/GlobalFunctions.php | 21 ++++++++++----------- tests/parser/parserTests.txt | 22 ++++++++++++++++++++++ 3 files changed, 33 insertions(+), 11 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 423d0515a0..53c7df3b1b 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -98,6 +98,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * (bug 26449) Keep underlines from headings outside of tables and thumbs by adding overflow:hidden to h1,h2,h3,h4,h5,h6 (also fixes editsection bunching). * (bug 26708) Remove background-color:white from tables in Monobook and Vector. +* (bug 26781) {{PAGENAME}} and related parser functions escape their output better === API changes in 1.18 === * (bug 26339) Throw warning when truncating an overlarge API result diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index d6d6a16765..8ad029ba6f 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -1149,21 +1149,20 @@ function wfCheckLimits( $deflimit = 50, $optionname = 'rclimit' ) { * Escapes the given text so that it may be output using addWikiText() * without any linking, formatting, etc. making its way through. This * is achieved by substituting certain characters with HTML entities. - * As required by the callers, is not used. It currently does - * not filter out characters which have special meaning only at the - * start of a line, such as "*". + * As required by the callers, is not used. * * @param $text String: text to be escaped */ function wfEscapeWikiText( $text ) { - $text = str_replace( - array( '[', '|', ']', '\'', 'ISBN ', - 'RFC ', '://', "\n=", '{{', '}}' ), - array( '[', '|', ']', ''', 'ISBN ', - 'RFC ', '://', "\n=", '{{', '}}' ), - htmlspecialchars( $text ) - ); - return $text; + $text = strtr( "\n$text", array( + '"' => '"', '&' => '&', "'" => ''', '<' => '<', + '=' => '=', '>' => '>', '[' => '[', ']' => ']', + '{' => '{', '|' => '|', '}' => '}', + "\n#" => "\n#", "\n*" => "\n*", + "\n:" => "\n:", "\n;" => "\n;", + '://' => '://', 'ISBN ' => 'ISBN ', 'RFC ' => 'RFC ', + ) ); + return substr( $text, 1 ); } /** diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index 5736d8cbe3..08d83af601 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -2226,6 +2226,28 @@ title=[[User:Ævar Arnfjörð Bjarmason]]

!! end +!! test +Magic Word: {{PAGENAME}} with metacharacters +!! options +title=[['foo & bar = baz']] +!! input +''{{PAGENAME}}'' +!! result +

'foo & bar = baz' +

+!! end + +!! test +Magic Word: {{PAGENAME}} with metacharacters (bug 26781) +!! options +title=[[*RFC 1234 http://example.com/]] +!! input +{{PAGENAME}} +!! result +

*RFC 1234 http://example.com/ +

+!! end + !! test Magic Word: {{PAGENAMEE}} !! options -- 2.20.1