if ( '' == $manual_thumb ) $url = $img->createThumb( $width );
}
- $alt = preg_replace( '/<[^>]*>/', '', $alt );
- $alt = preg_replace('/&(?!:amp;|#[Xx][0-9A-fa-f]+;|#[0-9]+;|[a-zA-Z0-9]+;)/', '&', $alt);
- $alt = str_replace( array('<', '>', '"'), array('<', '>', '"'), $alt );
+ # FIXME: This is a gross hack using a global.
+ # Replace link color holders in the caption text so the
+ # text portion can be placed int the alt/title attributes.
+ global $wgParser;
+ $wgParser->replaceLinkHolders( $alt );
+
+ $alt = Sanitizer::stripAllTags( $alt );
$u = $nt->escapeLocalURL();
if ( $url == '' ) {
);
return $whitelist;
}
+
+ /**
+ * Take a fragment of (potentially invalid) HTML and return
+ * a version with any tags removed, encoded suitably for literal
+ * inclusion in an attribute value.
+ *
+ * @param string $text HTML fragment
+ * @return string
+ */
+ function stripAllTags( $text ) {
+ # Actual <tags>
+ $text = preg_replace( '/<[^>]*>/', '', $text );
+
+ # Normalize &entities and whitespace
+ $text = Sanitizer::normalizeAttributeValue( $text );
+
+ # Will be placed into "double-quoted" attributes,
+ # make sure remaining bits are safe.
+ $text = str_replace(
+ array('<', '>', '"'),
+ array('<', '>', '"'),
+ $text );
+
+ return $text;
+ }
}