*/
private function makeForm( $title, $input ) {
$self = $this->getPageTitle();
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
$form = Xml::openElement(
'form',
array( 'method' => 'post', 'action' => $self->getLocalUrl() )
array( 'accesskey' => 's' )
) . '</p>';
$form .= "</fieldset>\n";
+ $form .= Html::hidden( 'wpEditToken', $user->getEditToken( '', $request ) );
$form .= Xml::closeElement( 'form' );
return $form;
private function showHtmlPreview( Title $title, ParserOutput $pout, OutputPage $out ) {
$lang = $title->getPageViewLanguage();
$out->addHTML( "<h2>" . $this->msg( 'expand_templates_preview' )->escaped() . "</h2>\n" );
+
+ if ( $this->getConfig()->get( 'RawHtml' ) ) {
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
+ // To prevent cross-site scripting attacks, don't show the preview if raw HTML is
+ // allowed and a valid edit token is not provided (bug 71111). However, MediaWiki
+ // does not currently provide logged-out users with CSRF protection; in that case,
+ // do not show the preview unless anonymous editing is allowed.
+ if ( $user->isAnon() && !$user->isAllowed( 'edit' ) ) {
+ $error = array( 'expand_templates_preview_fail_html_anon' );
+ } elseif ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ), '', $request ) ) {
+ $error = array( 'expand_templates_preview_fail_html' );
+ } else {
+ $error = false;
+ }
+
+ if ( $error ) {
+ $out->wrapWikiMsg( "<div class='previewnote'>\n$1\n</div>", $error );
+ return;
+ }
+ }
+
$out->addHTML( Html::openElement( 'div', array(
'class' => 'mw-content-' . $lang->getDir(),
'dir' => $lang->getDir(),
"expand_templates_generate_xml": "Show XML parse tree",
"expand_templates_generate_rawhtml": "Show raw HTML",
"expand_templates_preview": "Preview",
+ "expand_templates_preview_fail_html": "<em>Because {{SITENAME}} has raw HTML enabled and there was a loss of session data, the preview is hidden as a precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate preview attempt, please try again.</strong>\nIf it still does not work, try [[Special:UserLogout|logging out]] and logging back in.",
+ "expand_templates_preview_fail_html_anon": "<em>Because {{SITENAME}} has raw HTML enabled and you are not logged in, the preview is hidden as a precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate preview attempt, please [[Special:UserLogin|log in]] and try again.</strong>",
"pagelanguage": "Page language selector",
"pagelang-name": "Page",
"pagelang-language": "Language",
"expand_templates_generate_xml": "Used as checkbox label.",
"expand_templates_generate_rawhtml": "Used as checkbox label.",
"expand_templates_preview": "{{Identical|Preview}}",
+ "expand_templates_preview_fail_html": "Used as error message in Preview section of [[Special:ExpandTemplates]] page.",
+ "expand_templates_preview_fail_html_anon": "Used as error message in Preview section of [[Special:ExpandTemplates]] page.",
"pagelanguage": "Title for page Special:PageLanguage",
"pagelang-name": "Input label for page name on Special:PageLanguage\n{{Identical|Page}}",
"pagelang-language": "Language selector label for Special:PageLanguage\n{{Identical|Language}}",