*
* $wgMimeType: If this is set to an xml MIME type then output should be
* valid XHTML5.
- * $wgWellFormedXml: If this is set to true, then all output should be
- * well-formed XML (quotes on attributes, self-closing tags, etc.).
*
* This class is meant to be confined to utility functions that are called from
* trusted code paths. It does not do enforcement of policy like not allowing
* This is quite similar to Xml::tags(), but it implements some useful
* HTML-specific logic. For instance, there is no $allowShortTag
* parameter: the closing tag is magically omitted if $element has an empty
- * content model. If $wgWellFormedXml is false, then a few bytes will be
- * shaved off the HTML output as well.
+ * content model.
*
* @param string $element The element's name, e.g., 'a'
* @param array $attribs Associative array of attributes, e.g., array(
* @return string Raw HTML
*/
public static function rawElement( $element, $attribs = [], $contents = '' ) {
- global $wgWellFormedXml;
$start = self::openElement( $element, $attribs );
if ( in_array( $element, self::$voidElements ) ) {
- if ( $wgWellFormedXml ) {
- // Silly XML.
- return substr( $start, 0, -1 ) . '/>';
- }
- return $start;
+ // Silly XML.
+ return substr( $start, 0, -1 ) . '/>';
} else {
return "$start$contents" . self::closeElement( $element );
}
* 'http://www.mediawiki.org/' ) becomes something like
* ' href="http://www.mediawiki.org"'. Again, this is like
* Xml::expandAttributes(), but it implements some HTML-specific logic.
- * For instance, it will omit quotation marks if $wgWellFormedXml is false,
- * and will treat boolean attributes specially.
*
* Attributes that can contain space-separated lists ('class', 'accesskey' and 'rel') array
* values are allowed as well, which will automagically be normalized
* (starting with a space if at least one attribute is output)
*/
public static function expandAttributes( array $attribs ) {
- global $wgWellFormedXml;
-
$ret = '';
foreach ( $attribs as $key => $value ) {
// Support intuitive array( 'checked' => true/false ) form
throw new MWException( "HTML attribute $key can not contain a list of values" );
}
- // See the "Attributes" section in the HTML syntax part of HTML5,
- // 9.1.2.3 as of 2009-08-10. Most attributes can have quotation
- // marks omitted, but not all. (Although a literal " is not
- // permitted, we don't check for that, since it will be escaped
- // anyway.)
-
- // See also research done on further characters that need to be
- // escaped: http://code.google.com/p/html5lib/issues/detail?id=93
- $badChars = "\\x00- '=<>`/\x{00a0}\x{1680}\x{180e}\x{180F}\x{2000}\x{2001}"
- . "\x{2002}\x{2003}\x{2004}\x{2005}\x{2006}\x{2007}\x{2008}\x{2009}"
- . "\x{200A}\x{2028}\x{2029}\x{202F}\x{205F}\x{3000}";
- if ( $wgWellFormedXml || $value === '' || preg_match( "![$badChars]!u", $value ) ) {
- $quote = '"';
- } else {
- $quote = '';
- }
+ $quote = '"';
if ( in_array( $key, self::$boolAttribs ) ) {
- // In HTML5, we can leave the value empty. If we don't need
- // well-formed XML, we can omit the = entirely.
- if ( !$wgWellFormedXml ) {
- $ret .= " $key";
- } else {
- $ret .= " $key=\"\"";
- }
+ $ret .= " $key=\"\"";
} else {
// Apparently we need to entity-encode \n, \r, \t, although the
// spec doesn't mention that. Since we're doing strtr() anyway,
// don't because we're stubborn and like our marginal savings on
// byte size from not having to encode unnecessary quotes.
// The only difference between this transform and the one by
- // Sanitizer::encodeAttribute() is '<' is only encoded here if
- // $wgWellFormedXml is set, and ' is not encoded.
+ // Sanitizer::encodeAttribute() is ' is not encoded.
$map = [
'&' => '&',
'"' => '"',
'>' => '>',
+ // '<' allegedly allowed per spec
+ // but breaks some tools if not escaped.
+ "<" => '<',
"\n" => ' ',
"\r" => ' ',
"\t" => '	'
];
- if ( $wgWellFormedXml ) {
- // This is allowed per spec: <http://www.w3.org/TR/xml/#NT-AttValue>
- // But reportedly it breaks some XML tools?
- // @todo FIXME: Is this really true?
- $map['<'] = '<';
- }
$ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
}
}
* @return string Raw HTML
*/
public static function inlineScript( $contents ) {
- global $wgWellFormedXml;
-
$attrs = [];
- if ( $wgWellFormedXml && preg_match( '/[<&]/', $contents ) ) {
+ if ( preg_match( '/[<&]/', $contents ) ) {
$contents = "/*<![CDATA[*/$contents/*]]>*/";
}
* @return string Raw HTML
*/
public static function inlineStyle( $contents, $media = 'all' ) {
- global $wgWellFormedXml;
+ // Don't escape '>' since that is used
+ // as direct child selector.
+ // Remember, in css, there is no "x" for hexadecimal escapes, and
+ // the space immediately after an escape sequence is swallowed.
+ $contents = strtr( $contents, [
+ '<' => '\3C ',
+ // CDATA end tag for good measure, but the main security
+ // is from escaping the '<'.
+ ']]>' => '\5D\5D\3E '
+ ] );
- if ( $wgWellFormedXml && preg_match( '/[<&]/', $contents ) ) {
+ if ( preg_match( '/[<&]/', $contents ) ) {
$contents = "/*<![CDATA[*/$contents/*]]>*/";
}
$attribs['version'] = $wgHtml5Version;
}
- $html = self::openElement( 'html', $attribs );
-
- if ( $html ) {
- $html .= "\n";
- }
-
- $ret .= $html;
+ $ret .= self::openElement( 'html', $attribs );
return $ret;
}
static function srcSet( array $urls ) {
$candidates = [];
foreach ( $urls as $density => $url ) {
- // Cast density to float to strip 'x'.
- $candidates[] = $url . ' ' . (float)$density . 'x';
+ // Cast density to float to strip 'x', then back to string to serve
+ // as array index.
+ $density = (string)(float)$density;
+ $candidates[$density] = $url;
}
+
+ // Remove duplicates that are the same as a smaller value
+ ksort( $candidates, SORT_NUMERIC );
+ $candidates = array_unique( $candidates );
+
+ // Append density info to the url
+ foreach ( $candidates as $density => $url ) {
+ $candidates[$density] = $url . ' ' . $density . 'x';
+ }
+
return implode( ", ", $candidates );
}
}