https://www.mediawiki.org/wiki/Special:Code/MediaWiki/114346
Revision: 114346
Author: tstarling
Date: 2012-03-21 05:14:04 +0000 (Wed, 21 Mar 2012)
Log Message:
-----------
MFT r114231: fix "strip tag exposed" bugs
Modified Paths:
--------------
branches/REL1_19/phase3/RELEASE-NOTES-1.19
branches/REL1_19/phase3/includes/parser/CoreParserFunctions.php
branches/REL1_19/phase3/includes/parser/Parser.php
branches/REL1_19/phase3/includes/parser/StripState.php
branches/REL1_19/phase3/tests/parser/parserTests.txt
Modified: branches/REL1_19/phase3/RELEASE-NOTES-1.19
===================================================================
--- branches/REL1_19/phase3/RELEASE-NOTES-1.19 2012-03-21 05:03:43 UTC (rev
114345)
+++ branches/REL1_19/phase3/RELEASE-NOTES-1.19 2012-03-21 05:14:04 UTC (rev
114346)
@@ -25,6 +25,10 @@
* (bug 31417) New ID mw-content-text around the actual page text, without
categories,
contentSub, ... The same div often also contains the class
mw-content-ltr/rtl.
* (bug 35303) Proxy and DNS blacklist blocking works again
+* (bug 22555) Remove or skip strip markers from tag hooks like <nowiki>
in
+ core parser functions which operate on strings, such as padleft.
+* (bug 18295) Don't expose strip markers when a tag appears inside a link
+ inside a heading.
=== Configuration changes in 1.19 ===
* Removed SkinTemplateSetupPageCss hook; use BeforePageDisplay instead.
Modified: branches/REL1_19/phase3/includes/parser/CoreParserFunctions.php
===================================================================
--- branches/REL1_19/phase3/includes/parser/CoreParserFunctions.php
2012-03-21 05:03:43 UTC (rev 114345)
+++ branches/REL1_19/phase3/includes/parser/CoreParserFunctions.php
2012-03-21 05:14:04 UTC (rev 114346)
@@ -164,17 +164,21 @@
// Encode as though it's a wiki page, '_' for ' '.
case 'url_wiki':
- return wfUrlencode( str_replace( ' ', '_', $s )
);
+ $func = 'wfUrlencode';
+ $s = str_replace( ' ', '_', $s );
+ break;
// Encode for an HTTP Path, '%20' for ' '.
case 'url_path':
- return rawurlencode( $s );
+ $func = 'rawurlencode';
+ break;
// Encode for HTTP query, '+' for ' '.
case 'url_query':
default:
- return urlencode( $s );
+ $func = 'urlencode';
}
+ return $parser->markerSkipCallback( $s, $func );
}
static function lcfirst( $parser, $s = '' ) {
@@ -194,11 +198,7 @@
*/
static function lc( $parser, $s = '' ) {
global $wgContLang;
- if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
- return $parser->markerSkipCallback( $s, array(
$wgContLang, 'lc' ) );
- } else {
- return $wgContLang->lc( $s );
- }
+ return $parser->markerSkipCallback( $s, array( $wgContLang,
'lc' ) );
}
/**
@@ -208,11 +208,7 @@
*/
static function uc( $parser, $s = '' ) {
global $wgContLang;
- if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
- return $parser->markerSkipCallback( $s, array(
$wgContLang, 'uc' ) );
- } else {
- return $wgContLang->uc( $s );
- }
+ return $parser->markerSkipCallback( $s, array( $wgContLang,
'uc' ) );
}
static function localurl( $parser, $s = '', $arg = null ) { return
self::urlFunction( 'getLocalURL', $s, $arg ); }
@@ -252,12 +248,13 @@
* @param null $raw
* @return
*/
- static function formatNum( $parser, $num = '', $raw = null) {
- if ( self::israw( $raw ) ) {
- return
$parser->getFunctionLang()->parseFormattedNumber( $num );
+ static function formatnum( $parser, $num = '', $raw = null) {
+ if ( self::isRaw( $raw ) ) {
+ $func = array( $parser->getFunctionLang(),
'parseFormattedNumber' );
} else {
- return $parser->getFunctionLang()->formatNum( $num );
+ $func = array( $parser->getFunctionLang(), 'formatNum'
);
}
+ return $parser->markerSkipCallback( $num, $func );
}
/**
@@ -267,6 +264,7 @@
* @return
*/
static function grammar( $parser, $case = '', $word = '' ) {
+ $word = $parser->killMarkers( $word );
return $parser->getFunctionLang()->convertGrammar( $word, $case
);
}
@@ -635,7 +633,8 @@
/**
* Unicode-safe str_pad with the restriction that $length is forced to
be <= 500
*/
- static function pad( $string, $length, $padding = '0', $direction =
STR_PAD_RIGHT ) {
+ static function pad( $parser, $string, $length, $padding = '0',
$direction = STR_PAD_RIGHT ) {
+ $padding = $parser->killMarkers( $padding );
$lengthOfPadding = mb_strlen( $padding );
if ( $lengthOfPadding == 0 ) return $string;
@@ -659,11 +658,11 @@
}
static function padleft( $parser, $string = '', $length = 0, $padding =
'0' ) {
- return self::pad( $string, $length, $padding, STR_PAD_LEFT );
+ return self::pad( $parser, $string, $length, $padding,
STR_PAD_LEFT );
}
static function padright( $parser, $string = '', $length = 0, $padding
= '0' ) {
- return self::pad( $string, $length, $padding );
+ return self::pad( $parser, $string, $length, $padding );
}
/**
@@ -672,6 +671,7 @@
* @return string
*/
static function anchorencode( $parser, $text ) {
+ $text = $parser->killMarkers( $text );
return substr( $parser->guessSectionNameFromWikiText( $text ),
1);
}
Modified: branches/REL1_19/phase3/includes/parser/Parser.php
===================================================================
--- branches/REL1_19/phase3/includes/parser/Parser.php 2012-03-21 05:03:43 UTC
(rev 114345)
+++ branches/REL1_19/phase3/includes/parser/Parser.php 2012-03-21 05:14:04 UTC
(rev 114346)
@@ -4065,15 +4065,17 @@
}
# The safe header is a version of the header text safe
to use for links
- # Avoid insertion of weird stuff like <math> by
expanding the relevant sections
- $safeHeadline = $this->mStripState->unstripBoth(
$headline );
# Remove link placeholders by the link text.
# <!--LINK number-->
# turns into
# link text with suffix
- $safeHeadline = $this->replaceLinkHoldersText(
$safeHeadline );
+ # Do this before unstrip since link text can contain
strip markers
+ $safeHeadline = $this->replaceLinkHoldersText(
$headline );
+ # Avoid insertion of weird stuff like <math> by
expanding the relevant sections
+ $safeHeadline = $this->mStripState->unstripBoth(
$safeHeadline );
+
# Strip out HTML (first regex removes any tag not
allowed)
# Allowed tags are <sup> and <sub> (bug 8393), <i> (bug
26375) and <b> (r105284)
# We strip any parameter from accepted tags (second
regex)
@@ -5638,6 +5640,16 @@
}
/**
+ * Remove any strip markers found in the given text.
+ *
+ * @param $text Input string
+ * @return string
+ */
+ function killMarkers( $text ) {
+ return $this->mStripState->killMarkers( $text );
+ }
+
+ /**
* Save the parser state required to convert the given half-parsed text
to
* HTML. "Half-parsed" in this context means the output of
* recursiveTagParse() or internalParse(). This output has strip markers
Modified: branches/REL1_19/phase3/includes/parser/StripState.php
===================================================================
--- branches/REL1_19/phase3/includes/parser/StripState.php 2012-03-21
05:03:43 UTC (rev 114345)
+++ branches/REL1_19/phase3/includes/parser/StripState.php 2012-03-21
05:14:04 UTC (rev 114346)
@@ -181,5 +181,15 @@
$key = $m[1];
return "{$this->prefix}{$this->tempMergePrefix}-$key" .
Parser::MARKER_SUFFIX;
}
+
+ /**
+ * Remove any strip markers found in the given text.
+ *
+ * @param $text Input string
+ * @return string
+ */
+ function killMarkers( $text ) {
+ return preg_replace( $this->regex, '', $text );
+ }
}
Modified: branches/REL1_19/phase3/tests/parser/parserTests.txt
===================================================================
--- branches/REL1_19/phase3/tests/parser/parserTests.txt 2012-03-21
05:03:43 UTC (rev 114345)
+++ branches/REL1_19/phase3/tests/parser/parserTests.txt 2012-03-21
05:14:04 UTC (rev 114346)
@@ -9086,6 +9086,96 @@
!! end
+!! test
+Strip marker in urlencode
+!! input
+{{urlencode:x<nowiki/>y}}
+{{urlencode:x<nowiki/>y|wiki}}
+{{urlencode:x<nowiki/>y|path}}
+!! result
+<p>xy
+xy
+xy
+</p>
+!! end
+
+!! test
+Strip marker in lc
+!! input
+{{lc:x<nowiki/>y}}
+!! result
+<p>xy
+</p>
+!! end
+
+!! test
+Strip marker in uc
+!! input
+{{uc:x<nowiki/>y}}
+!! result
+<p>XY
+</p>
+!! end
+
+!! test
+Strip marker in formatNum
+!! input
+{{formatnum:1<nowiki/>2}}
+{{formatnum:1<nowiki/>2|R}}
+!! result
+<p>12
+12
+</p>
+!! end
+
+!! test
+Strip marker in grammar
+!! options
+language=fi
+!! input
+{{grammar:elative|foo<nowiki/>bar}}
+!! result
+<p>foobarista
+</p>
+!! end
+
+!! test
+Strip marker in padleft
+!! input
+{{padleft:|2|x<nowiki/>y}}
+!! result
+<p>xy
+</p>
+!! end
+
+!! test
+Strip marker in padright
+!! input
+{{padright:|2|x<nowiki/>y}}
+!! result
+<p>xy
+</p>
+!! end
+
+!! test
+Strip marker in anchorencode
+!! input
+{{anchorencode:x<nowiki/>y}}
+!! result
+<p>xy
+</p>
+!! end
+
+!! test
+nowiki inside link inside heading (bug 18295)
+!! input
+==[[foo|x<nowiki>y</nowiki>z]]==
+!! result
+<h2><span class="editsection">[<a
href="/index.php?title=Parser_test&action=edit&section=1" title="Edit
section: xyz">edit</a>]</span> <span class="mw-headline" id="xyz"><a
href="/index.php?title=Foo&action=edit&redlink=1" class="new"
title="Foo (page does not exist)">xyz</a></span></h2>
+
+!! end
+
+
TODO:
more images
more tables
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
