$newparams = '';
} else {
# Keep track for later
- if ( isset( $tabletags[$t] ) &&
- !in_array( 'table', $tagstack ) ) {
+ if ( isset( $tabletags[$t] ) && !in_array( 'table', $tagstack ) ) {
$badtag = true;
- } elseif ( in_array( $t, $tagstack ) &&
- !isset( $htmlnest[$t] ) ) {
+ } elseif ( in_array( $t, $tagstack ) && !isset( $htmlnest[$t] ) ) {
$badtag = true;
# Is it a self closed htmlpair ? (bug 5487)
- } elseif ( $brace == '/>' &&
- isset( $htmlpairs[$t] ) ) {
+ } elseif ( $brace == '/>' && isset( $htmlpairs[$t] ) ) {
$badtag = true;
} elseif ( isset( $htmlsingleonly[$t] ) ) {
# Hack to force empty tag for unclosable elements
# the tag stack so that we can match end tags
# instead of marking them as bad.
array_push( $tagstack, $t );
- } elseif ( isset( $tabletags[$t] )
- && in_array( $t, $tagstack ) ) {
+ } elseif ( isset( $tabletags[$t] ) && in_array( $t, $tagstack ) ) {
// New table tag but forgot to close the previous one
$text .= "</$t>";
} else {
}
/**
- * Pick apart some CSS and check it for forbidden or unsafe structures.
- * Returns a sanitized string. This sanitized string will have
- * character references and escape sequences decoded and comments
- * stripped (unless it is itself one valid comment, in which case the value
- * will be passed through). If the input is just too evil, only a comment
- * complaining about evilness will be returned.
- *
- * Currently URL references, 'expression', 'tps' are forbidden.
- *
- * NOTE: Despite the fact that character references are decoded, the
- * returned string may contain character references given certain
- * clever input strings. These character references must
- * be escaped before the return value is embedded in HTML.
- *
- * @param string $value
- * @return string
+ * Normalize CSS into a format we can easily search for hostile input
+ * - decode character references
+ * - decode escape sequences
+ * - convert characters that IE6 interprets into ascii
+ * - remove comments, unless the entire value is one single comment
+ * @param string $value the css string
+ * @return string normalized css
*/
- static function checkCss( $value ) {
+ public static function normalizeCss( $value ) {
+
// Decode character references like {
$value = Sanitizer::decodeCharReferences( $value );
$value
);
+ return $value;
+ }
+
+
+ /**
+ * Pick apart some CSS and check it for forbidden or unsafe structures.
+ * Returns a sanitized string. This sanitized string will have
+ * character references and escape sequences decoded and comments
+ * stripped (unless it is itself one valid comment, in which case the value
+ * will be passed through). If the input is just too evil, only a comment
+ * complaining about evilness will be returned.
+ *
+ * Currently URL references, 'expression', 'tps' are forbidden.
+ *
+ * NOTE: Despite the fact that character references are decoded, the
+ * returned string may contain character references given certain
+ * clever input strings. These character references must
+ * be escaped before the return value is embedded in HTML.
+ *
+ * @param string $value
+ * @return string
+ */
+ static function checkCss( $value ) {
+ $value = self::normalizeCss( $value );
+
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
global $wgExperimentalHtmlIds;
$options = (array)$options;
+ $id = Sanitizer::decodeCharReferences( $id );
+
if ( $wgExperimentalHtmlIds && !in_array( 'legacy', $options ) ) {
- $id = Sanitizer::decodeCharReferences( $id );
$id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id );
$id = trim( $id, '_' );
if ( $id === '' ) {
- # Must have been all whitespace to start with.
+ // Must have been all whitespace to start with.
return '_';
} else {
return $id;
}
}
- # HTML4-style escaping
+ // HTML4-style escaping
static $replace = array(
'%3A' => ':',
'%' => '.'
);
- $id = urlencode( Sanitizer::decodeCharReferences( strtr( $id, ' ', '_' ) ) );
+ $id = urlencode( strtr( $id, ' ', '_' ) );
$id = str_replace( array_keys( $replace ), array_values( $replace ), $id );
- if ( !preg_match( '/^[a-zA-Z]/', $id )
- && !in_array( 'noninitial', $options ) ) {
+ if ( !preg_match( '/^[a-zA-Z]/', $id ) && !in_array( 'noninitial', $options ) ) {
// Initial character must be a letter!
$id = "x$id";
}
static function normalizeEntity( $name ) {
if ( isset( self::$htmlEntityAliases[$name] ) ) {
return '&' . self::$htmlEntityAliases[$name] . ';';
- } elseif ( in_array( $name,
- array( 'lt', 'gt', 'amp', 'quot' ) ) ) {
+ } elseif ( in_array( $name, array( 'lt', 'gt', 'amp', 'quot' ) ) ) {
return "&$name;";
} elseif ( isset( self::$htmlEntities[$name] ) ) {
return '&#' . self::$htmlEntities[$name] . ';';
*/
public static function validateEmail( $addr ) {
$result = null;
- if ( !wfRunHooks( 'isValidEmailAddr', array( $addr, &$result ) ) ) {
+ if ( !Hooks::run( 'isValidEmailAddr', array( $addr, &$result ) ) ) {
return $result;
}