diff options
| author | Daniel Friesen <dantman@users.mediawiki.org> | 2012-02-20 00:42:24 +0000 |
|---|---|---|
| committer | Daniel Friesen <dantman@users.mediawiki.org> | 2012-02-20 00:42:24 +0000 |
| commit | ce58ef75f4f97de9f803c589a898cf3fb3f9c7e9 (patch) | |
| tree | ef0460317f30311708c878bfecbfbeba3db4a2dd | |
| parent | 524741dcc41898ba0611241a7b3ede0537f3b7f6 (diff) | |
| download | mediawikicore-ce58ef75f4f97de9f803c589a898cf3fb3f9c7e9.tar.gz mediawikicore-ce58ef75f4f97de9f803c589a898cf3fb3f9c7e9.zip | |
Followup r111891; Update the test to also make sure things like http-equiv and rel=stylesheet don't link through. And update the sanitizer code so that bad <link> and <meta> tags show in proper plaintext when tidy is enabled just like they do when not.
Notes
Notes:
http://mediawiki.org/wiki/Special:Code/MediaWiki/111901
| -rw-r--r-- | includes/Sanitizer.php | 16 | ||||
| -rw-r--r-- | tests/parser/parserTests.txt | 4 |
2 files changed, 16 insertions, 4 deletions
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 785e2ec9c15c..eb8710866aad 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -564,16 +564,24 @@ class Sanitizer { preg_match( '/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/', $x, $regs ); @list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs; + $badtag = false; if ( isset( $htmlelements[$t = strtolower( $t )] ) ) { if( is_callable( $processCallback ) ) { call_user_func_array( $processCallback, array( &$params, $args ) ); } + + if ( !Sanitizer::validateTag( $params, $t ) ) { + $badtag = true; + } + $newparams = Sanitizer::fixTagAttributes( $params, $t ); - $rest = str_replace( '>', '>', $rest ); - $text .= "<$slash$t$newparams$brace$rest"; - } else { - $text .= '<' . str_replace( '>', '>', $x); + if ( !$badtag ) { + $rest = str_replace( '>', '>', $rest ); + $text .= "<$slash$t$newparams$brace$rest"; + continue; + } } + $text .= '<' . str_replace( '>', '>', $x); } } wfProfileOut( __METHOD__ ); diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index 22970a147d9f..8535d78f1f8d 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -5425,16 +5425,20 @@ Sanitizer: Validating that <meta> and <link> work, but only for Microdata <div itemscope> <meta itemprop="hello" content="world"> <meta http-equiv="refresh" content="5"> + <meta itemprop="hello" http-equiv="refresh" content="5"> <link itemprop="hello" href="{{SERVER}}"> <link rel="stylesheet" href="{{SERVER}}"> + <link rel="stylesheet" itemprop="hello" href="{{SERVER}}"> </div> !! result <div itemscope="itemscope"> <p> <meta itemprop="hello" content="world" /> <meta http-equiv="refresh" content="5"> + <meta itemprop="hello" content="5" /> </p> <link itemprop="hello" href="http://Britney-Spears" /> <link rel="stylesheet" href="<a rel="nofollow" class="external free" href="http://Britney-Spears">http://Britney-Spears</a>"> + <link itemprop="hello" href="http://Britney-Spears" /> </div> !! end |