diff options
| author | Daniel Friesen <dantman@users.mediawiki.org> | 2012-02-20 00:42:24 +0000 |
|---|---|---|
| committer | Daniel Friesen <dantman@users.mediawiki.org> | 2012-02-20 00:42:24 +0000 |
| commit | ce58ef75f4f97de9f803c589a898cf3fb3f9c7e9 (patch) | |
| tree | ef0460317f30311708c878bfecbfbeba3db4a2dd /includes | |
| parent | 524741dcc41898ba0611241a7b3ede0537f3b7f6 (diff) | |
| download | mediawikicore-ce58ef75f4f97de9f803c589a898cf3fb3f9c7e9.tar.gz mediawikicore-ce58ef75f4f97de9f803c589a898cf3fb3f9c7e9.zip | |
Followup r111891; Update the test to also make sure things like http-equiv and rel=stylesheet don't link through. And update the sanitizer code so that bad <link> and <meta> tags show in proper plaintext when tidy is enabled just like they do when not.
Notes
Notes:
http://mediawiki.org/wiki/Special:Code/MediaWiki/111901
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/Sanitizer.php | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 785e2ec9c15c..eb8710866aad 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -564,16 +564,24 @@ class Sanitizer { preg_match( '/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/', $x, $regs ); @list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs; + $badtag = false; if ( isset( $htmlelements[$t = strtolower( $t )] ) ) { if( is_callable( $processCallback ) ) { call_user_func_array( $processCallback, array( &$params, $args ) ); } + + if ( !Sanitizer::validateTag( $params, $t ) ) { + $badtag = true; + } + $newparams = Sanitizer::fixTagAttributes( $params, $t ); - $rest = str_replace( '>', '>', $rest ); - $text .= "<$slash$t$newparams$brace$rest"; - } else { - $text .= '<' . str_replace( '>', '>', $x); + if ( !$badtag ) { + $rest = str_replace( '>', '>', $rest ); + $text .= "<$slash$t$newparams$brace$rest"; + continue; + } } + $text .= '<' . str_replace( '>', '>', $x); } } wfProfileOut( __METHOD__ ); |