* Regular expression to match HTML/XML attribute pairs within a tag.
* Allows some... latitude.
* Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes
+ * @return string
*/
static function getAttribsRegex() {
if ( self::$attribsRegex === null ) {
'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
'strike', 'strong', 'tt', 'var', 'div', 'center',
'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
- 'ruby', 'rt', 'rb', 'rp', 'p', 'span', 'abbr', 'dfn',
+ 'ruby', 'rb', 'rp', 'rt', 'rtc', 'p', 'span', 'abbr', 'dfn',
'kbd', 'samp', 'data', 'time', 'mark'
);
$htmlsingle = array(
* - Invalid id attributes are re-encoded
*
* @param array $attribs
- * @param array $whitelist list of allowed attribute names
+ * @param array $whitelist List of allowed attribute names
* @return array
*
* @todo Check for legal values where the DTD limits things.
* @return string
*/
static function checkCss( $value ) {
- global $wgDisallowedCss;
-
// Decode character references like {
$value = Sanitizer::decodeCharReferences( $value );
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
- } else {
- if ( $wgDisallowedCss ) {
- if ( preg_match( $wgDisallowedCss, $value ) ) {
- return '/* insecure input */';
- }
- }
+ } elseif ( preg_match(
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
+ return '/* insecure input */';
}
return $value;
}
* @see http://www.whatwg.org/html/elements.html#the-id-attribute
* HTML5 definition of id attribute
*
- * @param string $id id to escape
+ * @param string $id Id to escape
* @param string|array $options String or array of strings (default is array()):
* 'noninitial': This is a non-initial fragment of an id, not a full id,
* so don't pay attention if the first character isn't valid at the
* attribs regex matches.
*
* @param array $set
- * @throws MWException when tag conditions are not met.
+ * @throws MWException When tag conditions are not met.
* @return string
*/
private static function getTagAttributeCallback( $set ) {
# http://www.whatwg.org/html/text-level-semantics.html#the-ruby-element
'ruby' => $common,
# rbc
- # rtc
'rb' => $common,
- 'rt' => $common, #array_merge( $common, array( 'rbspan' ) ),
'rp' => $common,
+ 'rt' => $common, #array_merge( $common, array( 'rbspan' ) ),
+ 'rtc' => $common,
# MathML root element, where used for extensions
# 'title' may not be 100% valid here; it's XHTML
dépôts / lhc / web / wiklou.git / blobdiff