From: jenkins-bot Date: Tue, 28 Nov 2017 13:38:15 +0000 (+0000) Subject: Merge "ESLint ecmaVersion setting is not needed if env is es6" X-Git-Tag: 1.31.0-rc.0~1386 X-Git-Url: https://git.cyclocoop.org/%7B%7B%20url_for%28?a=commitdiff_plain;h=d0a8e6b9b30272ec216a8a2ceda3b7fc60db1e7a;hp=85f88747f25fd9ac8fc347912a785453a175e58e;p=lhc%2Fweb%2Fwiklou.git Merge "ESLint ecmaVersion setting is not needed if env is es6" --- diff --git a/HISTORY b/HISTORY index 0a2869d0d1..1f30b7068e 100644 --- a/HISTORY +++ b/HISTORY @@ -2,6 +2,45 @@ Change notes from older releases. For current info see RELEASE-NOTES-1.30. = MediaWiki 1.29 = +== MediaWiki 1.29.2 == + +This is a security and maintenance release of the MediaWiki 1.29 branch. + +=== Changes since 1.29.1 === +* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting. +* (T175439) Unbreak Postgres Updater when setting defaults for a column. +* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. +* Fixed login button label to accept RawMessage. +* Fixed case of SpecialRecentChanges class usage. +* (T174255) Declare uploadCount property in importDump.php. +* (T163646) Pass a string not an int to mysql_real_escape_string(). +* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2. +* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. +* (T165846) SECURITY: BotPassword login attempts weren't throttled. +* (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. +* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. +* (T180237) SECURITY: Protect vendor folder with .htaccess. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. +* (T119158) SECURITY: Handle -{}- syntax in attributes safely. +* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all + branches in the previous security release. + +== MediaWiki 1.29.1 == + +This is a maintenance release of the MediaWiki 1.29 branch. + +The SpamBlacklist and PdfHandler extensions were missing from the generated +packages. + +=== Changes since 1.29.1 === +* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js. +* (T172061) Fix fatal when passing a category to refreshLinks.php. + == MediaWiki 1.29.0 == === Configuration changes in 1.29 === @@ -336,6 +375,45 @@ changes to languages because of Phabricator reports. = MediaWiki 1.28 = +== MediaWiki 1.28.3 == + +This is a security and maintenance release of the MediaWiki 1.28 branch. + +=== Changes since 1.28.2 == +* (T168856) Allow SVGs created by Dia to be uploaded. +* (T157545) Add missing doUpdates() call to refreshLinks.php. +* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown. +* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle. +* (T154425) Make DeferredUpdates detect LBFactory transaction rounds. +* (T149454) Restore erroneously removed realTableName call from DatabasePostgres. +* (T167798) Fix phrase search and highlighting for phrase queries. +* (T151136) Provide credits information to callbacks in extension registration. +* (T160462) Allow namespaces defined in extension.json to be overwritten locally. +* (T168337) Fix ErrorPageError to work from non-UI contexts. +* (T143788) Backports for PHP 7.0 and 7.1 support. +* (T175439) Unbreak Postgres Updater when setting defaults for a column. +* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. +* (T174255) Declare uploadCount property in importDump.php. +* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. +* (T165846) SECURITY: BotPassword login attempts weren't throttled. +* (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. +* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. +* (T180237) SECURITY: Protect vendor folder with .htaccess. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. +* (T119158) SECURITY: Handle -{}- syntax in attributes safely. + +== MediaWiki 1.28.2 == + +Due to a packaging error, the wrong version of the SyntaxHighlight extension was +included in the tarball version of MediaWiki 1.28.1. The version included had a +serious security issue in it (T158689). There was also some minor code fixes in +MediaWiki itself since 1.28.1, but none of them were security relevant. + == MediaWiki 1.28.1 == This is a security and maintenance release of the MediaWiki 1.28 branch. @@ -699,6 +777,38 @@ There's usually someone online in #mediawiki on irc.freenode.net. = MediaWiki 1.27 = +== MediaWiki 1.27.4 == +This is a security and maintenance release of the MediaWiki 1.27 branch. + +=== Changes since 1.27.3 === +* (T100085) Better handling of jobs execution in post-connection shutdown. +* (T141604) Support conditionally registered namespaces. +* (T167798) Fix highlighting for phrase queries and phrase search. +* (T151136) Provide credits information to callbacks. +* (T160462) Allow namespaces defined in extension.json to be overwritten locally. +* (T168856) Allow SVGs created by Dia to be uploaded. +* (T144705) (T148662) Password reset link is no longer shown when no reset options are + available. +* (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support. +* (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC + policies. +* DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core. +* (T175439) Unbreak Postgres Updater when setting defaults for a column. +* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. +* (T142304) Allow putting the app ID in the password for bot passwords. +* Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. +* (T165846) SECURITY: BotPassword login attempts weren't throttled. +* (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. +* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. +* (T180237) SECURITY: Protect vendor folder with .htaccess. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. +* (T119158) SECURITY: Handle -{}- syntax in attributes safely. + == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was included in the tarball version of MediaWiki 1.27.2. The version included had a diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31 index 18dfc42aff..3de0e17586 100644 --- a/RELEASE-NOTES-1.31 +++ b/RELEASE-NOTES-1.31 @@ -15,14 +15,13 @@ production. possible for fallback images such as png. * (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not have the right to mark things patrolled. -* … === New features in 1.31 === * Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins with parentheses for grouping. * As a first pass in standardizing dialog boxes across the MediaWiki product, -Html class now provides helper methods for messageBox, successBox, errorBox and -warningBox generation. + Html class now provides helper methods for messageBox, successBox, errorBox and + warningBox generation. === External library changes in 1.31 === @@ -41,11 +40,9 @@ warningBox generation. 'mediawiki.viewport' module instead. * The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed. Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly instead. -* … === Bug fixes in 1.31 === * (T90902) Non-breaking space in header ID breaks anchor -* … === Action API changes in 1.31 === * … @@ -96,9 +93,18 @@ changes to languages because of Phabricator reports. * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo() * User::selectFields() → User::getQueryInfo() * WikiPage::selectFields() → WikiPage::getQueryInfo() - * Due to significant refactoring, method ContribsPager::getUserCond() that had - no access restriction has been removed. - * Revision::setUserIdAndName() was deprecated. +* Due to significant refactoring, method ContribsPager::getUserCond() that had + no access restriction has been removed. +* Revision::setUserIdAndName() was deprecated. +* Access to TitleValue class properties was deprecated, the relevant getters + should be used instead. +* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should + override DifferenceEngine::getDiffBodyCacheKeyParams() instead. +* The deprecated MW_DIFF_VERSION constant was removed. + DifferenceEngine::MW_DIFF_VERSION should be used instead. +* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use + Maintenance::fatalError() instead. +* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated. == Compatibility == MediaWiki 1.31 requires PHP 5.5.9 or later. There is experimental support for diff --git a/autoload.php b/autoload.php index a826f7a3d6..2231a3feab 100644 --- a/autoload.php +++ b/autoload.php @@ -312,6 +312,7 @@ $wgAutoloadLocalClasses = [ 'CreateAndPromote' => __DIR__ . '/maintenance/createAndPromote.php', 'CreateFileOp' => __DIR__ . '/includes/libs/filebackend/fileop/CreateFileOp.php', 'CreditsAction' => __DIR__ . '/includes/actions/CreditsAction.php', + 'CrhConverter' => __DIR__ . '/languages/classes/LanguageCrh.php', 'CryptHKDF' => __DIR__ . '/includes/libs/CryptHKDF.php', 'CryptRand' => __DIR__ . '/includes/libs/CryptRand.php', 'CssContent' => __DIR__ . '/includes/content/CssContent.php', @@ -706,6 +707,7 @@ $wgAutoloadLocalClasses = [ 'LanguageBs' => __DIR__ . '/languages/classes/LanguageBs.php', 'LanguageCode' => __DIR__ . '/languages/LanguageCode.php', 'LanguageConverter' => __DIR__ . '/languages/LanguageConverter.php', + 'LanguageCrh' => __DIR__ . '/languages/classes/LanguageCrh.php', 'LanguageCu' => __DIR__ . '/languages/classes/LanguageCu.php', 'LanguageDsb' => __DIR__ . '/languages/classes/LanguageDsb.php', 'LanguageEn' => __DIR__ . '/languages/classes/LanguageEn.php', @@ -885,6 +887,7 @@ $wgAutoloadLocalClasses = [ 'MediaWiki\\Interwiki\\ClassicInterwikiLookup' => __DIR__ . '/includes/interwiki/ClassicInterwikiLookup.php', 'MediaWiki\\Interwiki\\InterwikiLookup' => __DIR__ . '/includes/interwiki/InterwikiLookup.php', 'MediaWiki\\Interwiki\\InterwikiLookupAdapter' => __DIR__ . '/includes/interwiki/InterwikiLookupAdapter.php', + 'MediaWiki\\Languages\\Data\\CrhExceptions' => __DIR__ . '/languages/data/CrhExceptions.php', 'MediaWiki\\Languages\\Data\\Names' => __DIR__ . '/languages/data/Names.php', 'MediaWiki\\Languages\\Data\\ZhConversion' => __DIR__ . '/languages/data/ZhConversion.php', 'MediaWiki\\Linker\\LinkRenderer' => __DIR__ . '/includes/linker/LinkRenderer.php', @@ -936,6 +939,7 @@ $wgAutoloadLocalClasses = [ 'MediaWiki\\ShellDisabledError' => __DIR__ . '/includes/exception/ShellDisabledError.php', 'MediaWiki\\Shell\\Command' => __DIR__ . '/includes/shell/Command.php', 'MediaWiki\\Shell\\CommandFactory' => __DIR__ . '/includes/shell/CommandFactory.php', + 'MediaWiki\\Shell\\FirejailCommand' => __DIR__ . '/includes/shell/FirejailCommand.php', 'MediaWiki\\Shell\\Result' => __DIR__ . '/includes/shell/Result.php', 'MediaWiki\\Shell\\Shell' => __DIR__ . '/includes/shell/Shell.php', 'MediaWiki\\Site\\MediaWikiPageNameNormalizer' => __DIR__ . '/includes/site/MediaWikiPageNameNormalizer.php', @@ -957,6 +961,7 @@ $wgAutoloadLocalClasses = [ 'MediaWiki\\Tidy\\RemexDriver' => __DIR__ . '/includes/tidy/RemexDriver.php', 'MediaWiki\\Tidy\\RemexMungerData' => __DIR__ . '/includes/tidy/RemexMungerData.php', 'MediaWiki\\Tidy\\TidyDriverBase' => __DIR__ . '/includes/tidy/TidyDriverBase.php', + 'MediaWiki\\User\\UserIdentity' => __DIR__ . '/includes/user/UserIdentity.php', 'MediaWiki\\Widget\\ComplexNamespaceInputWidget' => __DIR__ . '/includes/widget/ComplexNamespaceInputWidget.php', 'MediaWiki\\Widget\\ComplexTitleInputWidget' => __DIR__ . '/includes/widget/ComplexTitleInputWidget.php', 'MediaWiki\\Widget\\DateInputWidget' => __DIR__ . '/includes/widget/DateInputWidget.php', @@ -1219,6 +1224,7 @@ $wgAutoloadLocalClasses = [ 'RefreshLinks' => __DIR__ . '/maintenance/refreshLinks.php', 'RefreshLinksJob' => __DIR__ . '/includes/jobqueue/jobs/RefreshLinksJob.php', 'RegexlikeReplacer' => __DIR__ . '/includes/libs/replacers/RegexlikeReplacer.php', + 'RemexStripTagHandler' => __DIR__ . '/includes/parser/RemexStripTagHandler.php', 'RemoveInvalidEmails' => __DIR__ . '/maintenance/removeInvalidEmails.php', 'RemoveUnusedAccounts' => __DIR__ . '/maintenance/removeUnusedAccounts.php', 'RenameDbPrefix' => __DIR__ . '/maintenance/renameDbPrefix.php', @@ -1297,7 +1303,7 @@ $wgAutoloadLocalClasses = [ 'SVGMetadataExtractor' => __DIR__ . '/includes/media/SVGMetadataExtractor.php', 'SVGReader' => __DIR__ . '/includes/media/SVGMetadataExtractor.php', 'SamplingStatsdClient' => __DIR__ . '/includes/libs/stats/SamplingStatsdClient.php', - 'Sanitizer' => __DIR__ . '/includes/Sanitizer.php', + 'Sanitizer' => __DIR__ . '/includes/parser/Sanitizer.php', 'ScopedCallback' => __DIR__ . '/includes/compat/ScopedCallback.php', 'ScopedLock' => __DIR__ . '/includes/libs/lockmanager/ScopedLock.php', 'SearchApi' => __DIR__ . '/includes/api/SearchApi.php', diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 3cd7ef181a..25be60c975 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -2554,6 +2554,8 @@ $wgGitInfoCacheDirectory = false; * It should be appended in the query string of static CSS and JS includes, * to ensure that client-side caches do not keep obsolete copies of global * styles. + * + * @deprecated since 1.31 */ $wgStyleVersion = '303'; @@ -4881,7 +4883,6 @@ $wgDefaultUserOptions = [ 'hidepatrolled' => 0, 'hidecategorization' => 1, 'imagesize' => 2, - 'math' => 1, 'minordefault' => 0, 'newpageshidepatrolled' => 0, 'nickname' => '', @@ -8270,6 +8271,22 @@ $wgPhpCli = '/usr/bin/php'; */ $wgShellLocale = 'C.UTF-8'; +/** + * Method to use to restrict shell commands + * + * Supported options: + * - 'autodetect': Autodetect if any restriction methods are available + * - 'firejail': Use firejail + * - false: Don't use any restrictions + * + * @note If using firejail with MediaWiki running in a home directory different + * from the webserver user, firejail 0.9.44+ is required. + * + * @since 1.31 + * @var string|bool + */ +$wgShellRestrictionMethod = false; + /** @} */ # End shell } /************************************************************************//** diff --git a/includes/Feed.php b/includes/Feed.php index fd223e63dd..35f2ce9438 100644 --- a/includes/Feed.php +++ b/includes/Feed.php @@ -232,7 +232,8 @@ abstract class ChannelFeed extends FeedItem { header( "Content-type: $mimetype; charset=UTF-8" ); // Set a sane filename - $exts = MimeMagic::singleton()->getExtensionsForType( $mimetype ); + $exts = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer() + ->getExtensionsForType( $mimetype ); $ext = $exts ? strtok( $exts, ' ' ) : 'xml'; header( "Content-Disposition: inline; filename=\"feed.{$ext}\"" ); diff --git a/includes/GitInfo.php b/includes/GitInfo.php index 8095fd7308..f170a025f7 100644 --- a/includes/GitInfo.php +++ b/includes/GitInfo.php @@ -232,6 +232,8 @@ class GitInfo { ]; $result = Shell::command( $cmd ) ->environment( [ 'GIT_DIR' => $this->basedir ] ) + ->restrict( Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK ) + ->whitelistPaths( [ $this->basedir ] ) ->execute(); if ( $result->getExitCode() === 0 ) { diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 404d115280..bb1951d528 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -2225,7 +2225,23 @@ function wfPercent( $nr, $acc = 2, $round = true ) { * @return bool */ function wfIniGetBool( $setting ) { - $val = strtolower( ini_get( $setting ) ); + return wfStringToBool( ini_get( $setting ) ); +} + +/** + * Convert string value to boolean, when the following are interpreted as true: + * - on + * - true + * - yes + * - Any number, except 0 + * All other strings are interpreted as false. + * + * @param string $val + * @return bool + * @since 1.31 + */ +function wfStringToBool( $val ) { + $val = strtolower( $val ); // 'on' and 'true' can't have whitespace around them, but '1' can. return $val == 'on' || $val == 'true' diff --git a/includes/Html.php b/includes/Html.php index 524fdcd7d9..dfd80a8c43 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -683,7 +683,7 @@ class Html { * @param string $heading (optional) * @return string of HTML representing a box. */ - public static function messageBox( $html, $className, $heading = '' ) { + private static function messageBox( $html, $className, $heading = '' ) { if ( $heading ) { $html = self::element( 'h2', [], $heading ) . $html; } diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 4635f991c2..a5f9c18151 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -1573,10 +1573,14 @@ class OutputPage extends ContextSource { * Get/set the ParserOptions object to use for wikitext parsing * * @param ParserOptions|null $options Either the ParserOption to use or null to only get the - * current ParserOption object + * current ParserOption object. This parameter is deprecated since 1.31. * @return ParserOptions */ public function parserOptions( $options = null ) { + if ( $options !== null ) { + wfDeprecated( __METHOD__ . ' with non-null $options', '1.31' ); + } + if ( $options !== null && !empty( $options->isBogus ) ) { // Someone is trying to set a bogus pre-$wgUser PO. Check if it has // been changed somehow, and keep it if so. diff --git a/includes/Preferences.php b/includes/Preferences.php index 738f8eecff..924e3adcf8 100644 --- a/includes/Preferences.php +++ b/includes/Preferences.php @@ -47,9 +47,6 @@ use MediaWiki\MediaWikiServices; * over to the tryUISubmit static method of this class. */ class Preferences { - /** @var array */ - protected static $defaultPreferences = null; - /** @var array */ protected static $saveFilters = [ 'timecorrection' => [ 'Preferences', 'filterTimezoneInput' ], @@ -78,10 +75,6 @@ class Preferences { * @return array|null */ static function getPreferences( $user, IContextSource $context ) { - if ( self::$defaultPreferences ) { - return self::$defaultPreferences; - } - OutputPage::setupOOUI( strtolower( $context->getSkin()->getSkinName() ), $context->getLanguage()->getDir() @@ -103,7 +96,6 @@ class Preferences { Hooks::run( 'GetPreferences', [ $user, &$defaultPreferences ] ); self::loadPreferenceValues( $user, $context, $defaultPreferences ); - self::$defaultPreferences = $defaultPreferences; return $defaultPreferences; } @@ -1142,18 +1134,20 @@ class Preferences { $defaultPreferences['watchlisttoken'] = [ 'type' => 'api', ]; + + $tokenButton = new OOUI\ButtonWidget( [ + 'href' => SpecialPage::getTitleFor( 'ResetTokens' )->getLinkURL( [ + 'returnto' => SpecialPage::getTitleFor( 'Preferences' )->getPrefixedText() + ] ), + 'label' => $context->msg( 'prefs-watchlist-managetokens' )->text(), + ] ); $defaultPreferences['watchlisttoken-info'] = [ 'type' => 'info', 'section' => 'watchlist/tokenwatchlist', 'label-message' => 'prefs-watchlist-token', - 'default' => $user->getTokenFromOption( 'watchlisttoken' ), - 'help-message' => 'prefs-help-watchlist-token2', - ]; - $defaultPreferences['watchlisttoken-info2'] = [ - 'type' => 'info', - 'section' => 'watchlist/tokenwatchlist', + 'help-message' => 'prefs-help-tokenmanagement', 'raw' => true, - 'default' => $context->msg( 'prefs-help-watchlist-token2' )->parse(), + 'default' => (string)$tokenButton, ]; } } diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php deleted file mode 100644 index 4c996771e8..0000000000 --- a/includes/Sanitizer.php +++ /dev/null @@ -1,2115 +0,0 @@ - et al - * https://www.mediawiki.org/ - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * http://www.gnu.org/copyleft/gpl.html - * - * @file - * @ingroup Parser - */ - -/** - * HTML sanitizer for MediaWiki - * @ingroup Parser - */ -class Sanitizer { - /** - * Regular expression to match various types of character references in - * Sanitizer::normalizeCharReferences and Sanitizer::decodeCharReferences - */ - const CHAR_REFS_REGEX = - '/&([A-Za-z0-9\x80-\xff]+); - |&\#([0-9]+); - |&\#[xX]([0-9A-Fa-f]+); - |(&)/x'; - - /** - * Acceptable tag name charset from HTML5 parsing spec - * https://www.w3.org/TR/html5/syntax.html#tag-open-state - */ - const ELEMENT_BITS_REGEX = '!^(/?)([A-Za-z][^\t\n\v />\0]*+)([^>]*?)(/?>)([^<]*)$!'; - - /** - * Blacklist for evil uris like javascript: - * WARNING: DO NOT use this in any place that actually requires blacklisting - * for security reasons. There are NUMEROUS[1] ways to bypass blacklisting, the - * only way to be secure from javascript: uri based xss vectors is to whitelist - * things that you know are safe and deny everything else. - * [1]: http://ha.ckers.org/xss.html - */ - const EVIL_URI_PATTERN = '!(^|\s|\*/\s*)(javascript|vbscript)([^\w]|$)!i'; - const XMLNS_ATTRIBUTE_PATTERN = "/^xmlns:[:A-Z_a-z-.0-9]+$/"; - - /** - * Tells escapeUrlForHtml() to encode the ID using the wiki's primary encoding. - * - * @since 1.30 - */ - const ID_PRIMARY = 0; - - /** - * Tells escapeUrlForHtml() to encode the ID using the fallback encoding, or return false - * if no fallback is configured. - * - * @since 1.30 - */ - const ID_FALLBACK = 1; - - /** - * List of all named character entities defined in HTML 4.01 - * https://www.w3.org/TR/html4/sgml/entities.html - * As well as ' which is only defined starting in XHTML1. - */ - private static $htmlEntities = [ - 'Aacute' => 193, - 'aacute' => 225, - 'Acirc' => 194, - 'acirc' => 226, - 'acute' => 180, - 'AElig' => 198, - 'aelig' => 230, - 'Agrave' => 192, - 'agrave' => 224, - 'alefsym' => 8501, - 'Alpha' => 913, - 'alpha' => 945, - 'amp' => 38, - 'and' => 8743, - 'ang' => 8736, - 'apos' => 39, // New in XHTML & HTML 5; avoid in output for compatibility with IE. - 'Aring' => 197, - 'aring' => 229, - 'asymp' => 8776, - 'Atilde' => 195, - 'atilde' => 227, - 'Auml' => 196, - 'auml' => 228, - 'bdquo' => 8222, - 'Beta' => 914, - 'beta' => 946, - 'brvbar' => 166, - 'bull' => 8226, - 'cap' => 8745, - 'Ccedil' => 199, - 'ccedil' => 231, - 'cedil' => 184, - 'cent' => 162, - 'Chi' => 935, - 'chi' => 967, - 'circ' => 710, - 'clubs' => 9827, - 'cong' => 8773, - 'copy' => 169, - 'crarr' => 8629, - 'cup' => 8746, - 'curren' => 164, - 'dagger' => 8224, - 'Dagger' => 8225, - 'darr' => 8595, - 'dArr' => 8659, - 'deg' => 176, - 'Delta' => 916, - 'delta' => 948, - 'diams' => 9830, - 'divide' => 247, - 'Eacute' => 201, - 'eacute' => 233, - 'Ecirc' => 202, - 'ecirc' => 234, - 'Egrave' => 200, - 'egrave' => 232, - 'empty' => 8709, - 'emsp' => 8195, - 'ensp' => 8194, - 'Epsilon' => 917, - 'epsilon' => 949, - 'equiv' => 8801, - 'Eta' => 919, - 'eta' => 951, - 'ETH' => 208, - 'eth' => 240, - 'Euml' => 203, - 'euml' => 235, - 'euro' => 8364, - 'exist' => 8707, - 'fnof' => 402, - 'forall' => 8704, - 'frac12' => 189, - 'frac14' => 188, - 'frac34' => 190, - 'frasl' => 8260, - 'Gamma' => 915, - 'gamma' => 947, - 'ge' => 8805, - 'gt' => 62, - 'harr' => 8596, - 'hArr' => 8660, - 'hearts' => 9829, - 'hellip' => 8230, - 'Iacute' => 205, - 'iacute' => 237, - 'Icirc' => 206, - 'icirc' => 238, - 'iexcl' => 161, - 'Igrave' => 204, - 'igrave' => 236, - 'image' => 8465, - 'infin' => 8734, - 'int' => 8747, - 'Iota' => 921, - 'iota' => 953, - 'iquest' => 191, - 'isin' => 8712, - 'Iuml' => 207, - 'iuml' => 239, - 'Kappa' => 922, - 'kappa' => 954, - 'Lambda' => 923, - 'lambda' => 955, - 'lang' => 9001, - 'laquo' => 171, - 'larr' => 8592, - 'lArr' => 8656, - 'lceil' => 8968, - 'ldquo' => 8220, - 'le' => 8804, - 'lfloor' => 8970, - 'lowast' => 8727, - 'loz' => 9674, - 'lrm' => 8206, - 'lsaquo' => 8249, - 'lsquo' => 8216, - 'lt' => 60, - 'macr' => 175, - 'mdash' => 8212, - 'micro' => 181, - 'middot' => 183, - 'minus' => 8722, - 'Mu' => 924, - 'mu' => 956, - 'nabla' => 8711, - 'nbsp' => 160, - 'ndash' => 8211, - 'ne' => 8800, - 'ni' => 8715, - 'not' => 172, - 'notin' => 8713, - 'nsub' => 8836, - 'Ntilde' => 209, - 'ntilde' => 241, - 'Nu' => 925, - 'nu' => 957, - 'Oacute' => 211, - 'oacute' => 243, - 'Ocirc' => 212, - 'ocirc' => 244, - 'OElig' => 338, - 'oelig' => 339, - 'Ograve' => 210, - 'ograve' => 242, - 'oline' => 8254, - 'Omega' => 937, - 'omega' => 969, - 'Omicron' => 927, - 'omicron' => 959, - 'oplus' => 8853, - 'or' => 8744, - 'ordf' => 170, - 'ordm' => 186, - 'Oslash' => 216, - 'oslash' => 248, - 'Otilde' => 213, - 'otilde' => 245, - 'otimes' => 8855, - 'Ouml' => 214, - 'ouml' => 246, - 'para' => 182, - 'part' => 8706, - 'permil' => 8240, - 'perp' => 8869, - 'Phi' => 934, - 'phi' => 966, - 'Pi' => 928, - 'pi' => 960, - 'piv' => 982, - 'plusmn' => 177, - 'pound' => 163, - 'prime' => 8242, - 'Prime' => 8243, - 'prod' => 8719, - 'prop' => 8733, - 'Psi' => 936, - 'psi' => 968, - 'quot' => 34, - 'radic' => 8730, - 'rang' => 9002, - 'raquo' => 187, - 'rarr' => 8594, - 'rArr' => 8658, - 'rceil' => 8969, - 'rdquo' => 8221, - 'real' => 8476, - 'reg' => 174, - 'rfloor' => 8971, - 'Rho' => 929, - 'rho' => 961, - 'rlm' => 8207, - 'rsaquo' => 8250, - 'rsquo' => 8217, - 'sbquo' => 8218, - 'Scaron' => 352, - 'scaron' => 353, - 'sdot' => 8901, - 'sect' => 167, - 'shy' => 173, - 'Sigma' => 931, - 'sigma' => 963, - 'sigmaf' => 962, - 'sim' => 8764, - 'spades' => 9824, - 'sub' => 8834, - 'sube' => 8838, - 'sum' => 8721, - 'sup' => 8835, - 'sup1' => 185, - 'sup2' => 178, - 'sup3' => 179, - 'supe' => 8839, - 'szlig' => 223, - 'Tau' => 932, - 'tau' => 964, - 'there4' => 8756, - 'Theta' => 920, - 'theta' => 952, - 'thetasym' => 977, - 'thinsp' => 8201, - 'THORN' => 222, - 'thorn' => 254, - 'tilde' => 732, - 'times' => 215, - 'trade' => 8482, - 'Uacute' => 218, - 'uacute' => 250, - 'uarr' => 8593, - 'uArr' => 8657, - 'Ucirc' => 219, - 'ucirc' => 251, - 'Ugrave' => 217, - 'ugrave' => 249, - 'uml' => 168, - 'upsih' => 978, - 'Upsilon' => 933, - 'upsilon' => 965, - 'Uuml' => 220, - 'uuml' => 252, - 'weierp' => 8472, - 'Xi' => 926, - 'xi' => 958, - 'Yacute' => 221, - 'yacute' => 253, - 'yen' => 165, - 'Yuml' => 376, - 'yuml' => 255, - 'Zeta' => 918, - 'zeta' => 950, - 'zwj' => 8205, - 'zwnj' => 8204 - ]; - - /** - * Character entity aliases accepted by MediaWiki - */ - private static $htmlEntityAliases = [ - 'רלמ' => 'rlm', - 'رلم' => 'rlm', - ]; - - /** - * Lazy-initialised attributes regex, see getAttribsRegex() - */ - private static $attribsRegex; - - /** - * Regular expression to match HTML/XML attribute pairs within a tag. - * Allows some... latitude. Based on, - * https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state - * Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes - * @return string - */ - static function getAttribsRegex() { - if ( self::$attribsRegex === null ) { - $attribFirst = "[:_\p{L}\p{N}]"; - $attrib = "[:_\.\-\p{L}\p{N}]"; - $space = '[\x09\x0a\x0c\x0d\x20]'; - self::$attribsRegex = - "/(?:^|$space)({$attribFirst}{$attrib}*) - ($space*=$space* - (?: - # The attribute value: quoted or alone - \"([^\"]*)(?:\"|\$) - | '([^']*)(?:'|\$) - | (((?!$space|>).)*) - ) - )?(?=$space|\$)/sxu"; - } - return self::$attribsRegex; - } - - /** - * Return the various lists of recognized tags - * @param array $extratags For any extra tags to include - * @param array $removetags For any tags (default or extra) to exclude - * @return array - */ - public static function getRecognizedTagData( $extratags = [], $removetags = [] ) { - global $wgAllowImageTag; - - static $htmlpairsStatic, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags, - $htmllist, $listtags, $htmlsingleallowed, $htmlelementsStatic, $staticInitialised; - - // Base our staticInitialised variable off of the global config state so that if the globals - // are changed (like in the screwed up test system) we will re-initialise the settings. - $globalContext = $wgAllowImageTag; - if ( !$staticInitialised || $staticInitialised != $globalContext ) { - $htmlpairsStatic = [ # Tags that must be closed - 'b', 'bdi', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1', - 'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's', - 'strike', 'strong', 'tt', 'var', 'div', 'center', - 'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre', - 'ruby', 'rb', 'rp', 'rt', 'rtc', 'p', 'span', 'abbr', 'dfn', - 'kbd', 'samp', 'data', 'time', 'mark' - ]; - $htmlsingle = [ - 'br', 'wbr', 'hr', 'li', 'dt', 'dd', 'meta', 'link' - ]; - - # Elements that cannot have close tags. This is (not coincidentally) - # also the list of tags for which the HTML 5 parsing algorithm - # requires you to "acknowledge the token's self-closing flag", i.e. - # a self-closing tag like
is not an HTML 5 parse error only - # for this list. - $htmlsingleonly = [ - 'br', 'wbr', 'hr', 'meta', 'link' - ]; - - $htmlnest = [ # Tags that can be nested--?? - 'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul', - 'li', 'dl', 'dt', 'dd', 'font', 'big', 'small', 'sub', 'sup', 'span', - 'var', 'kbd', 'samp', 'em', 'strong', 'q', 'ruby', 'bdo' - ]; - $tabletags = [ # Can only appear inside table, we will close them - 'td', 'th', 'tr', - ]; - $htmllist = [ # Tags used by list - 'ul', 'ol', - ]; - $listtags = [ # Tags that can appear in a list - 'li', - ]; - - if ( $wgAllowImageTag ) { - $htmlsingle[] = 'img'; - $htmlsingleonly[] = 'img'; - } - - $htmlsingleallowed = array_unique( array_merge( $htmlsingle, $tabletags ) ); - $htmlelementsStatic = array_unique( array_merge( $htmlsingle, $htmlpairsStatic, $htmlnest ) ); - - # Convert them all to hashtables for faster lookup - $vars = [ 'htmlpairsStatic', 'htmlsingle', 'htmlsingleonly', 'htmlnest', 'tabletags', - 'htmllist', 'listtags', 'htmlsingleallowed', 'htmlelementsStatic' ]; - foreach ( $vars as $var ) { - $$var = array_flip( $$var ); - } - $staticInitialised = $globalContext; - } - - # Populate $htmlpairs and $htmlelements with the $extratags and $removetags arrays - $extratags = array_flip( $extratags ); - $removetags = array_flip( $removetags ); - $htmlpairs = array_merge( $extratags, $htmlpairsStatic ); - $htmlelements = array_diff_key( array_merge( $extratags, $htmlelementsStatic ), $removetags ); - - return [ - 'htmlpairs' => $htmlpairs, - 'htmlsingle' => $htmlsingle, - 'htmlsingleonly' => $htmlsingleonly, - 'htmlnest' => $htmlnest, - 'tabletags' => $tabletags, - 'htmllist' => $htmllist, - 'listtags' => $listtags, - 'htmlsingleallowed' => $htmlsingleallowed, - 'htmlelements' => $htmlelements, - ]; - } - - /** - * Cleans up HTML, removes dangerous tags and attributes, and - * removes HTML comments - * @param string $text - * @param callable $processCallback Callback to do any variable or parameter - * replacements in HTML attribute values - * @param array|bool $args Arguments for the processing callback - * @param array $extratags For any extra tags to include - * @param array $removetags For any tags (default or extra) to exclude - * @param callable $warnCallback (Deprecated) Callback allowing the - * addition of a tracking category when bad input is encountered. - * DO NOT ADD NEW PARAMETERS AFTER $warnCallback, since it will be - * removed shortly. - * @return string - */ - public static function removeHTMLtags( $text, $processCallback = null, - $args = [], $extratags = [], $removetags = [], $warnCallback = null - ) { - extract( self::getRecognizedTagData( $extratags, $removetags ) ); - - # Remove HTML comments - $text = self::removeHTMLcomments( $text ); - $bits = explode( '<', $text ); - $text = str_replace( '>', '>', array_shift( $bits ) ); - if ( !MWTidy::isEnabled() ) { - $tagstack = $tablestack = []; - foreach ( $bits as $x ) { - $regs = []; - # $slash: Does the current element start with a '/'? - # $t: Current element name - # $params: String between element name and > - # $brace: Ending '>' or '/>' - # $rest: Everything until the next element of $bits - if ( preg_match( self::ELEMENT_BITS_REGEX, $x, $regs ) ) { - list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs; - } else { - $slash = $t = $params = $brace = $rest = null; - } - - $badtag = false; - $t = strtolower( $t ); - if ( isset( $htmlelements[$t] ) ) { - # Check our stack - if ( $slash && isset( $htmlsingleonly[$t] ) ) { - $badtag = true; - } elseif ( $slash ) { - # Closing a tag... is it the one we just opened? - MediaWiki\suppressWarnings(); - $ot = array_pop( $tagstack ); - MediaWiki\restoreWarnings(); - - if ( $ot != $t ) { - if ( isset( $htmlsingleallowed[$ot] ) ) { - # Pop all elements with an optional close tag - # and see if we find a match below them - $optstack = []; - array_push( $optstack, $ot ); - MediaWiki\suppressWarnings(); - $ot = array_pop( $tagstack ); - MediaWiki\restoreWarnings(); - while ( $ot != $t && isset( $htmlsingleallowed[$ot] ) ) { - array_push( $optstack, $ot ); - MediaWiki\suppressWarnings(); - $ot = array_pop( $tagstack ); - MediaWiki\restoreWarnings(); - } - if ( $t != $ot ) { - # No match. Push the optional elements back again - $badtag = true; - MediaWiki\suppressWarnings(); - $ot = array_pop( $optstack ); - MediaWiki\restoreWarnings(); - while ( $ot ) { - array_push( $tagstack, $ot ); - MediaWiki\suppressWarnings(); - $ot = array_pop( $optstack ); - MediaWiki\restoreWarnings(); - } - } - } else { - MediaWiki\suppressWarnings(); - array_push( $tagstack, $ot ); - MediaWiki\restoreWarnings(); - - #
  • can be nested in