Fix 8590 : remove support for $wgUserHtml . Our specific HTML subset

is pretty much required to do anything cool in articles.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index d9dff2a..7802316 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -30,6 +30,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
   $wgAutoConfirmCount (defaulting to zero, naturally).
 * Added rate limiter for Special:Emailuser
 * Private logs can now be created using $wgLogRestrictions
+* (Bug 8590) limited HTML is now always enabled ($wgUserHtml = true).
 
 == New features since 1.9 ==
 

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index ca9d96d..cd49b0a 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -1655,12 +1655,6 @@ $wgFilterCallback = false;
 /** Go button goes straight to the edit screen if the article doesn't exist. */
 $wgGoToEdit = false;
 
-/** Allow limited user-specified HTML in wiki pages?
- * It  will be run through a whitelist for security. Set this to false if you
- * want wiki pages to consist only of wiki markup. Note that replacements do not
- * yet exist for all HTML constructs.*/
-$wgUserHtml = true;
-
 /** Allow raw, unchecked HTML in <html>...</html> sections.
  * THIS IS VERY DANGEROUS on a publically editable site, so USE wgGroupPermissions
  * TO RESTRICT EDITING to only those that you trust
@@ -1669,8 +1663,7 @@ $wgRawHtml = false;
 
 /**
  * $wgUseTidy: use tidy to make sure HTML output is sane.
- * This should only be enabled if $wgUserHtml is true.
- * tidy is a free tool that fixes broken HTML.
+ * Tidy is a free tool that fixes broken HTML.
  * See http://www.w3.org/People/Raggett/tidy/
  * $wgTidyBin should be set to the path of the binary and
  * $wgTidyConf to the path of the configuration file.

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 6e1f37b..dc12ec7 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -326,7 +326,7 @@ class Sanitizer {
         * @return string
         */
        static function removeHTMLtags( $text, $processCallback = null, $args = array() ) {
-               global $wgUseTidy, $wgUserHtml;
+               global $wgUseTidy;
 
                static $htmlpairs, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
                        $htmllist, $listtags, $htmlsingleallowed, $htmlelements, $staticInitialised;
@@ -334,40 +334,33 @@ class Sanitizer {
                wfProfileIn( __METHOD__ );
 
                if ( !$staticInitialised ) {
-                       if( $wgUserHtml ) {
-                               $htmlpairs = array( # Tags that must be closed
-                                       'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
-                                       'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
-                                       'strike', 'strong', 'tt', 'var', 'div', 'center',
-                                       'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
-                                       'ruby', 'rt' , 'rb' , 'rp', 'p', 'span', 'u'
-                               );
-                               $htmlsingle = array(
-                                       'br', 'hr', 'li', 'dt', 'dd'
-                               );
-                               $htmlsingleonly = array( # Elements that cannot have close tags
-                                       'br', 'hr'
-                               );
-                               $htmlnest = array( # Tags that can be nested--??
-                                       'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
-                                       'dl', 'font', 'big', 'small', 'sub', 'sup', 'span'
-                               );
-                               $tabletags = array( # Can only appear inside table, we will close them
-                                       'td', 'th', 'tr',
-                               );
-                               $htmllist = array( # Tags used by list
-                                       'ul','ol',
-                               );
-                               $listtags = array( # Tags that can appear in a list
-                                       'li',
-                               );
-
-                       } else {
-                               $htmlpairs = array();
-                               $htmlsingle = array();
-                               $htmlnest = array();
-                               $tabletags = array();
-                       }
+
+                       $htmlpairs = array( # Tags that must be closed
+                               'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
+                               'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
+                               'strike', 'strong', 'tt', 'var', 'div', 'center',
+                               'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
+                               'ruby', 'rt' , 'rb' , 'rp', 'p', 'span', 'u'
+                       );
+                       $htmlsingle = array(
+                               'br', 'hr', 'li', 'dt', 'dd'
+                       );
+                       $htmlsingleonly = array( # Elements that cannot have close tags
+                               'br', 'hr'
+                       );
+                       $htmlnest = array( # Tags that can be nested--??
+                               'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
+                               'dl', 'font', 'big', 'small', 'sub', 'sup', 'span'
+                       );
+                       $tabletags = array( # Can only appear inside table, we will close them
+                               'td', 'th', 'tr',
+                       );
+                       $htmllist = array( # Tags used by list
+                               'ul','ol',
+                       );
+                       $listtags = array( # Tags that can appear in a list
+                               'li',
+                       );
 
                        $htmlsingleallowed = array_merge( $htmlsingle, $tabletags );
                        $htmlelements = array_merge( $htmlsingle, $htmlpairs, $htmlnest );

diff --git a/t/inc/Sanitizer.t b/t/inc/Sanitizer.t
index a9ac8cf..e3b11b6 100644 (file)
--- a/t/inc/Sanitizer.t
+++ b/t/inc/Sanitizer.t
@@ -54,7 +54,6 @@ cmp_ok( Sanitizer::decodeCharReferences( '&foo;' ), '==', '&foo;', 'Invalid name
 cmp_ok( Sanitizer::decodeCharReferences( "�" ), '==', UTF8_REPLACEMENT, 'Invalid numbered entity' );
 
 $wgUseTidy = false;
-$wgUserHtml = true;
 cmp_ok(
        Sanitizer::removeHTMLtags( '<div>Hello world</div />' ),
        '==',