public static function removeHTMLtags( $text, $processCallback = null,
$args = array(), $extratags = array(), $removetags = array()
) {
- global $wgUseTidy;
-
extract( self::getRecognizedTagData( $extratags, $removetags ) );
# Remove HTML comments
$text = Sanitizer::removeHTMLcomments( $text );
$bits = explode( '<', $text );
$text = str_replace( '>', '>', array_shift( $bits ) );
- if ( !$wgUseTidy ) {
+ if ( !MWTidy::isEnabled() ) {
$tagstack = $tablestack = array();
foreach ( $bits as $x ) {
$regs = array();
}
$badtag = false;
- if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
# Check our stack
if ( $slash && isset( $htmlsingleonly[$t] ) ) {
$badtag = true;
$badtag = true;
} elseif ( in_array( $t, $tagstack ) && !isset( $htmlnest[$t] ) ) {
$badtag = true;
- # Is it a self closed htmlpair ? (bug 5487)
+ # Is it a self closed htmlpair ? (bug 5487)
} elseif ( $brace == '/>' && isset( $htmlpairs[$t] ) ) {
$badtag = true;
} elseif ( isset( $htmlsingleonly[$t] ) ) {
list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
$badtag = false;
- if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
+ $t = strtolower( $t );
+ if ( isset( $htmlelements[$t] ) ) {
if ( is_callable( $processCallback ) ) {
call_user_func_array( $processCallback, array( &$params, $args ) );
}
$out = array();
foreach ( $attribs as $attribute => $value ) {
- #allow XML namespace declaration if RDFa is enabled
+ # allow XML namespace declaration if RDFa is enabled
if ( $wgAllowRdfaAttributes && preg_match( self::XMLNS_ATTRIBUTE_PATTERN, $attribute ) ) {
if ( !preg_match( self::EVIL_URI_PATTERN, $value ) ) {
$out[$attribute] = $value;
}
# Allow any attribute beginning with "data-"
- if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+ # However:
+ # * data-ooui is reserved for ooui
+ # * data-mw and data-parsoid are reserved for parsoid
+ # * data-mw-<ext name here> is reserved for extensions (or core) if
+ # they need to communicate some data to the client and want to be
+ # sure that it isn't coming from an untrusted user.
+ if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+ && !isset( $whitelist[$attribute] )
+ ) {
continue;
}
|| $attribute === 'itemref' || $attribute === 'itemscope'
|| $attribute === 'itemtype'
) {
- //Paranoia. Allow "simple" values but suppress javascript
+ // Paranoia. Allow "simple" values but suppress javascript
if ( preg_match( self::EVIL_URI_PATTERN, $value ) ) {
continue;
}
# validation code that can be used by tag hook handlers, etc
if ( $attribute === 'href' || $attribute === 'src' ) {
if ( !preg_match( $hrefExp, $value ) ) {
- continue; //drop any href or src attributes not using an allowed protocol.
+ continue; // drop any href or src attributes not using an allowed protocol.
// NOTE: this also drops all relative URLs
}
}
# rbc
'rb' => $common,
'rp' => $common,
- 'rt' => $common, #array_merge( $common, array( 'rbspan' ) ),
+ 'rt' => $common, # array_merge( $common, array( 'rbspan' ) ),
'rtc' => $common,
# MathML root element, where used for extensions
$host = preg_replace( $strip, '', $host );
// IPv6 host names are bracketed with []. Url-decode these.
- if ( substr_compare( "//%5B", $host, 0, 5 ) === 0 && preg_match( '!^//%5B([0-9A-Fa-f:.]+)%5D((:\d+)?)$!', $host, $matches ) ) {
+ if ( substr_compare( "//%5B", $host, 0, 5 ) === 0 &&
+ preg_match( '!^//%5B([0-9A-Fa-f:.]+)%5D((:\d+)?)$!', $host, $matches )
+ ) {
$host = '//[' . $matches[1] . ']' . $matches[2];
}
dépôts / lhc / web / wiklou.git / blobdiff