author | Dan |
Sun, 21 Oct 2007 21:26:11 -0400 | |
changeset 202 | 88d7a7c2743c |
parent 163 | ad00dc1f8706 |
child 166 | d53cc29308f4 |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
2 |
||
3 |
/** |
|
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
142
ca9118d9c0f2
Rebrand as 1.0.2 (Coblynau); internal links are now parsed by RenderMan::parse_internal_links()
Dan
parents:
73
diff
changeset
|
5 |
* Version 1.0.2 (Coblynau) |
1 | 6 |
* Copyright (C) 2006-2007 Dan Fuhry |
7 |
* |
|
8 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
9 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
10 |
* |
|
11 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
12 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
13 |
* |
|
14 |
* This script contains code originally found in MediaWiki (http://www.mediawiki.org). MediaWiki is also licensed under |
|
15 |
* the GPLv2; see the file GPL included with this package for details. |
|
16 |
* |
|
17 |
* We're using the MW parser because the Text_Wiki version simply refused to work under PHP 5.2.0. Porting this was |
|
18 |
* _not_ easy. <leaves to get cup of coffee> |
|
19 |
*/ |
|
20 |
||
21 |
global $mStripState, $wgRandomKey; |
|
22 |
$mStripState = Array(); |
|
23 |
||
24 |
$attrib = '[a-zA-Z0-9]'; |
|
25 |
$space = '[\x09\x0a\x0d\x20]'; |
|
26 |
||
27 |
define( 'MW_CHAR_REFS_REGEX', |
|
28 |
'/&([A-Za-z0-9]+); |
|
29 |
|&\#([0-9]+); |
|
30 |
|&\#x([0-9A-Za-z]+); |
|
31 |
|&\#X([0-9A-Za-z]+); |
|
32 |
|(&)/x' ); |
|
33 |
||
34 |
define( 'MW_ATTRIBS_REGEX', |
|
35 |
"/(?:^|$space)($attrib+) |
|
36 |
($space*=$space* |
|
37 |
(?: |
|
38 |
# The attribute value: quoted or alone |
|
39 |
".'"'."([^<".'"'."]*)".'"'." |
|
40 |
| '([^<']*)' |
|
41 |
| ([a-zA-Z0-9!#$%&()*,\\-.\\/:;<>?@[\\]^_`{|}~]+) |
|
42 |
| (\#[0-9a-fA-F]+) # Technically wrong, but lots of |
|
43 |
# colors are specified like this. |
|
44 |
# We'll be normalizing it. |
|
45 |
) |
|
46 |
)?(?=$space|\$)/sx" ); |
|
47 |
||
48 |
/** |
|
49 |
* emulate mediawiki parser, including stripping, etc. |
|
50 |
* |
|
51 |
* @param string $text the text to parse |
|
52 |
* @return string |
|
53 |
* @access public |
|
54 |
*/ |
|
55 |
||
56 |
function process_tables( $text ) |
|
57 |
{ |
|
58 |
// include some globals, do some parser stuff that would normally be done in the parent parser function |
|
59 |
global $mStripState; |
|
60 |
$x =& $mStripState; |
|
61 |
//$text = mwStrip( $text, $x ); |
|
62 |
||
63 |
// parse the text |
|
64 |
$text = doTableStuff($text); |
|
65 |
||
66 |
// Unstrip it |
|
67 |
// $text = unstrip( $text, $mStripState ); |
|
68 |
// $text = unstripNoWiki( $text, $mStripState ); |
|
69 |
//die('<pre>'.print_r($mStripState, true).'</pre>'); |
|
70 |
return $text; |
|
71 |
} |
|
72 |
||
73 |
/** |
|
74 |
* parse the wiki syntax used to render tables |
|
75 |
* |
|
76 |
* @param string $t the text to parse |
|
77 |
* @return string |
|
78 |
* @access private |
|
79 |
*/ |
|
80 |
function doTableStuff( $t ) { |
|
81 |
||
82 |
$t = explode ( "\n" , $t ) ; |
|
83 |
$td = array () ; # Is currently a td tag open? |
|
84 |
$ltd = array () ; # Was it TD or TH? |
|
85 |
$tr = array () ; # Is currently a tr tag open? |
|
86 |
$ltr = array () ; # tr attributes |
|
87 |
$has_opened_tr = array(); # Did this table open a <tr> element? |
|
88 |
$indent_level = 0; # indent level of the table |
|
89 |
foreach ( $t AS $k => $x ) |
|
90 |
{ |
|
91 |
$x = trim ( $x ) ; |
|
92 |
$fc = substr ( $x , 0 , 1 ) ; |
|
93 |
if ( preg_match( '/^(:*)\{\|(.*)$/', $x, $matches ) ) { |
|
94 |
$indent_level = strlen( $matches[1] ); |
|
95 |
||
96 |
$attributes = unstripForHTML( $matches[2] ); |
|
97 |
||
98 |
$t[$k] = str_repeat( '<dl><dd>', $indent_level ) . |
|
99 |
'<nowiki><table' . fixTagAttributes( $attributes, 'table' ) . '></nowiki>' ; |
|
100 |
array_push ( $td , false ) ; |
|
101 |
array_push ( $ltd , '' ) ; |
|
102 |
array_push ( $tr , false ) ; |
|
103 |
array_push ( $ltr , '' ) ; |
|
104 |
array_push ( $has_opened_tr, false ); |
|
105 |
} |
|
106 |
else if ( count ( $td ) == 0 ) { } # Don't do any of the following |
|
107 |
else if ( '|}' == substr ( $x , 0 , 2 ) ) { |
|
108 |
$z = "<nowiki></table></nowiki>" . substr ( $x , 2); |
|
109 |
$l = array_pop ( $ltd ) ; |
|
110 |
if ( !array_pop ( $has_opened_tr ) ) $z = "<nowiki><tr><td></td></tr></nowiki>" . $z ; |
|
111 |
if ( array_pop ( $tr ) ) $z = '<nowiki></tr></nowiki>' . $z ; |
|
112 |
if ( array_pop ( $td ) ) $z = '<nowiki></'.$l.'></nowiki>' . $z ; |
|
113 |
array_pop ( $ltr ) ; |
|
114 |
$t[$k] = $z . str_repeat( '<nowiki></dd></dl></nowiki>', $indent_level ); |
|
115 |
} |
|
116 |
else if ( '|-' == substr ( $x , 0 , 2 ) ) { # Allows for |--------------- |
|
117 |
$x = substr ( $x , 1 ) ; |
|
118 |
while ( $x != '' && substr ( $x , 0 , 1 ) == '-' ) $x = substr ( $x , 1 ) ; |
|
119 |
$z = '' ; |
|
120 |
$l = array_pop ( $ltd ) ; |
|
121 |
array_pop ( $has_opened_tr ); |
|
122 |
array_push ( $has_opened_tr , true ) ; |
|
123 |
if ( array_pop ( $tr ) ) $z = '<nowiki></tr></nowiki>' . $z ; |
|
124 |
if ( array_pop ( $td ) ) $z = '<nowiki></'.$l.'></nowiki>' . $z ; |
|
125 |
array_pop ( $ltr ) ; |
|
126 |
$t[$k] = $z ; |
|
127 |
array_push ( $tr , false ) ; |
|
128 |
array_push ( $td , false ) ; |
|
129 |
array_push ( $ltd , '' ) ; |
|
130 |
$attributes = unstripForHTML( $x ); |
|
131 |
array_push ( $ltr , fixTagAttributes( $attributes, 'tr' ) ) ; |
|
132 |
} |
|
133 |
else if ( '|' == $fc || '!' == $fc || '|+' == substr ( $x , 0 , 2 ) ) { # Caption |
|
134 |
# $x is a table row |
|
135 |
if ( '|+' == substr ( $x , 0 , 2 ) ) { |
|
136 |
$fc = '+' ; |
|
137 |
$x = substr ( $x , 1 ) ; |
|
138 |
} |
|
139 |
$after = substr ( $x , 1 ) ; |
|
140 |
if ( $fc == '!' ) $after = str_replace ( '!!' , '||' , $after ) ; |
|
141 |
||
142 |
// Split up multiple cells on the same line. |
|
143 |
// FIXME: This can result in improper nesting of tags processed |
|
144 |
// by earlier parser steps, but should avoid splitting up eg |
|
145 |
// attribute values containing literal "||". |
|
146 |
$after = wfExplodeMarkup( '||', $after ); |
|
147 |
||
148 |
$t[$k] = '' ; |
|
149 |
||
150 |
# Loop through each table cell |
|
151 |
foreach ( $after AS $theline ) |
|
152 |
{ |
|
153 |
$z = '' ; |
|
154 |
if ( $fc != '+' ) |
|
155 |
{ |
|
156 |
$tra = array_pop ( $ltr ) ; |
|
157 |
if ( !array_pop ( $tr ) ) $z = '<nowiki><tr'.$tra."></nowiki>\n" ; |
|
158 |
array_push ( $tr , true ) ; |
|
159 |
array_push ( $ltr , '' ) ; |
|
160 |
array_pop ( $has_opened_tr ); |
|
161 |
array_push ( $has_opened_tr , true ) ; |
|
162 |
} |
|
163 |
||
164 |
$l = array_pop ( $ltd ) ; |
|
165 |
if ( array_pop ( $td ) ) $z = '<nowiki></'.$l.'></nowiki>' . $z ; |
|
166 |
if ( $fc == '|' ) $l = 'td' ; |
|
167 |
else if ( $fc == '!' ) $l = 'th' ; |
|
168 |
else if ( $fc == '+' ) $l = 'caption' ; |
|
169 |
else $l = '' ; |
|
170 |
array_push ( $ltd , $l ) ; |
|
171 |
||
172 |
# Cell parameters |
|
173 |
$y = explode ( '|' , $theline , 2 ) ; |
|
174 |
# Note that a '|' inside an invalid link should not |
|
175 |
# be mistaken as delimiting cell parameters |
|
176 |
if ( strpos( $y[0], '[[' ) !== false ) { |
|
177 |
$y = array ($theline); |
|
178 |
} |
|
179 |
if ( count ( $y ) == 1 ) |
|
180 |
$y = "{$z}<nowiki><{$l}></nowiki>{$y[0]}" ; |
|
181 |
else { |
|
182 |
$attributes = unstripForHTML( $y[0] ); |
|
183 |
$y = "{$z}<nowiki><{$l}".fixTagAttributes($attributes, $l)."></nowiki>{$y[1]}" ; |
|
184 |
} |
|
185 |
$t[$k] .= $y ; |
|
186 |
array_push ( $td , true ) ; |
|
187 |
} |
|
188 |
} |
|
189 |
} |
|
190 |
||
191 |
# Closing open td, tr && table |
|
192 |
while ( count ( $td ) > 0 ) |
|
193 |
{ |
|
194 |
$l = array_pop ( $ltd ) ; |
|
195 |
if ( array_pop ( $td ) ) $t[] = '<nowiki></td></nowiki>' ; |
|
196 |
if ( array_pop ( $tr ) ) $t[] = '<nowiki></tr></nowiki>' ; |
|
197 |
if ( !array_pop ( $has_opened_tr ) ) $t[] = "<nowiki><tr><td></td></tr></nowiki>" ; |
|
198 |
$t[] = '<nowiki></table></nowiki>' ; |
|
199 |
} |
|
200 |
||
201 |
$t = implode ( "\n" , $t ) ; |
|
202 |
||
203 |
# special case: don't return empty table |
|
204 |
if($t == "<nowiki><table></nowiki>\n<nowiki><tr><td></td></tr></nowiki>\n<nowiki></table></nowiki>") |
|
205 |
$t = ''; |
|
206 |
return $t ; |
|
207 |
} |
|
208 |
||
209 |
/** |
|
210 |
* Take a tag soup fragment listing an HTML element's attributes |
|
211 |
* and normalize it to well-formed XML, discarding unwanted attributes. |
|
212 |
* Output is safe for further wikitext processing, with escaping of |
|
213 |
* values that could trigger problems. |
|
214 |
* |
|
215 |
* - Normalizes attribute names to lowercase |
|
216 |
* - Discards attributes not on a whitelist for the given element |
|
217 |
* - Turns broken or invalid entities into plaintext |
|
218 |
* - Double-quotes all attribute values |
|
219 |
* - Attributes without values are given the name as attribute |
|
220 |
* - Double attributes are discarded |
|
221 |
* - Unsafe style attributes are discarded |
|
222 |
* - Prepends space if there are attributes. |
|
223 |
* |
|
224 |
* @param string $text |
|
225 |
* @param string $element |
|
226 |
* @return string |
|
227 |
*/ |
|
228 |
function fixTagAttributes( $text, $element ) { |
|
229 |
if( trim( $text ) == '' ) { |
|
230 |
return ''; |
|
231 |
} |
|
232 |
||
233 |
$stripped = validateTagAttributes( |
|
234 |
decodeTagAttributes( $text ), $element ); |
|
235 |
||
236 |
$attribs = array(); |
|
237 |
foreach( $stripped as $attribute => $value ) { |
|
238 |
$encAttribute = htmlspecialchars( $attribute ); |
|
239 |
$encValue = safeEncodeAttribute( $value ); |
|
240 |
||
241 |
$attribs[] = "$encAttribute=".'"'."$encValue".'"'.""; // " |
|
242 |
} |
|
243 |
return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : ''; |
|
244 |
} |
|
245 |
||
246 |
/** |
|
247 |
* Encode an attribute value for HTML tags, with extra armoring |
|
248 |
* against further wiki processing. |
|
249 |
* @param $text |
|
250 |
* @return HTML-encoded text fragment |
|
251 |
*/ |
|
252 |
function safeEncodeAttribute( $text ) { |
|
253 |
$encValue= encodeAttribute( $text ); |
|
254 |
||
255 |
# Templates and links may be expanded in later parsing, |
|
256 |
# creating invalid or dangerous output. Suppress this. |
|
257 |
$encValue = strtr( $encValue, array( |
|
258 |
'<' => '<', // This should never happen, |
|
259 |
'>' => '>', // we've received invalid input |
|
260 |
'"' => '"', // which should have been escaped. |
|
261 |
'{' => '{', |
|
262 |
'[' => '[', |
|
263 |
"''" => '''', |
|
264 |
'ISBN' => 'ISBN', |
|
265 |
'RFC' => 'RFC', |
|
266 |
'PMID' => 'PMID', |
|
267 |
'|' => '|', |
|
268 |
'__' => '__', |
|
269 |
) ); |
|
270 |
||
271 |
return $encValue; |
|
272 |
} |
|
273 |
||
274 |
/** |
|
275 |
* Encode an attribute value for HTML output. |
|
276 |
* @param $text |
|
277 |
* @return HTML-encoded text fragment |
|
278 |
*/ |
|
279 |
function encodeAttribute( $text ) { |
|
280 |
$encValue = htmlspecialchars( $text ); |
|
281 |
||
282 |
// Whitespace is normalized during attribute decoding, |
|
283 |
// so if we've been passed non-spaces we must encode them |
|
284 |
// ahead of time or they won't be preserved. |
|
285 |
$encValue = strtr( $encValue, array( |
|
286 |
"\n" => ' ', |
|
287 |
"\r" => ' ', |
|
288 |
"\t" => '	', |
|
289 |
) ); |
|
290 |
||
291 |
return $encValue; |
|
292 |
} |
|
293 |
||
294 |
function unstripForHTML( $text ) { |
|
295 |
global $mStripState; |
|
296 |
$text = unstrip( $text, $mStripState ); |
|
297 |
$text = unstripNoWiki( $text, $mStripState ); |
|
298 |
return $text; |
|
299 |
} |
|
300 |
||
301 |
/** |
|
302 |
* Always call this after unstrip() to preserve the order |
|
303 |
* |
|
304 |
* @private |
|
305 |
*/ |
|
306 |
function unstripNoWiki( $text, &$state ) { |
|
307 |
if ( !isset( $state['nowiki'] ) ) { |
|
308 |
return $text; |
|
309 |
} |
|
310 |
||
311 |
# TODO: good candidate for FSS |
|
312 |
$text = strtr( $text, $state['nowiki'] ); |
|
313 |
||
314 |
return $text; |
|
315 |
} |
|
316 |
||
317 |
/** |
|
318 |
* Take an array of attribute names and values and normalize or discard |
|
319 |
* illegal values for the given element type. |
|
320 |
* |
|
321 |
* - Discards attributes not on a whitelist for the given element |
|
322 |
* - Unsafe style attributes are discarded |
|
323 |
* |
|
324 |
* @param array $attribs |
|
325 |
* @param string $element |
|
326 |
* @return array |
|
327 |
* |
|
328 |
* @todo Check for legal values where the DTD limits things. |
|
329 |
* @todo Check for unique id attribute :P |
|
330 |
*/ |
|
331 |
function validateTagAttributes( $attribs, $element ) { |
|
332 |
$whitelist = array_flip( attributeWhitelist( $element ) ); |
|
333 |
$out = array(); |
|
334 |
foreach( $attribs as $attribute => $value ) { |
|
335 |
if( !isset( $whitelist[$attribute] ) ) { |
|
336 |
continue; |
|
337 |
} |
|
338 |
# Strip javascript "expression" from stylesheets. |
|
339 |
# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp |
|
340 |
if( $attribute == 'style' ) { |
|
341 |
$value = checkCss( $value ); |
|
342 |
if( $value === false ) { |
|
343 |
# haxx0r |
|
344 |
continue; |
|
345 |
} |
|
346 |
} |
|
347 |
||
348 |
if ( $attribute === 'id' ) |
|
349 |
$value = escapeId( $value ); |
|
350 |
||
351 |
// If this attribute was previously set, override it. |
|
352 |
// Output should only have one attribute of each name. |
|
353 |
$out[$attribute] = $value; |
|
354 |
} |
|
355 |
return $out; |
|
356 |
} |
|
357 |
||
358 |
/** |
|
359 |
* Pick apart some CSS and check it for forbidden or unsafe structures. |
|
360 |
* Returns a sanitized string, or false if it was just too evil. |
|
361 |
* |
|
362 |
* Currently URL references, 'expression', 'tps' are forbidden. |
|
363 |
* |
|
364 |
* @param string $value |
|
365 |
* @return mixed |
|
366 |
*/ |
|
367 |
function checkCss( $value ) { |
|
368 |
$stripped = decodeCharReferences( $value ); |
|
369 |
||
370 |
// Remove any comments; IE gets token splitting wrong |
|
371 |
$stripped = preg_replace( '!/\\*.*?\\*/!S', '', $stripped ); |
|
372 |
$value = $stripped; |
|
373 |
||
374 |
// ... and continue checks |
|
375 |
$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e', |
|
376 |
'codepointToUtf8(hexdec("$1"))', $stripped ); |
|
377 |
$stripped = str_replace( '\\', '', $stripped ); |
|
378 |
if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is', |
|
379 |
$stripped ) ) { |
|
380 |
# haxx0r |
|
381 |
return false; |
|
382 |
} |
|
383 |
||
384 |
return $value; |
|
385 |
} |
|
386 |
||
387 |
/** |
|
388 |
* Decode any character references, numeric or named entities, |
|
389 |
* in the text and return a UTF-8 string. |
|
390 |
* |
|
391 |
* @param string $text |
|
392 |
* @return string |
|
393 |
* @access public |
|
394 |
* @static |
|
395 |
*/ |
|
396 |
function decodeCharReferences( $text ) { |
|
397 |
return preg_replace_callback( |
|
398 |
MW_CHAR_REFS_REGEX, |
|
399 |
'decodeCharReferencesCallback', |
|
400 |
$text ); |
|
401 |
} |
|
402 |
||
403 |
/** |
|
404 |
* Fetch the whitelist of acceptable attributes for a given |
|
405 |
* element name. |
|
406 |
* |
|
407 |
* @param string $element |
|
408 |
* @return array |
|
409 |
*/ |
|
410 |
function attributeWhitelist( $element ) { |
|
411 |
static $list; |
|
412 |
if( !isset( $list ) ) { |
|
413 |
$list = setupAttributeWhitelist(); |
|
414 |
} |
|
415 |
return isset( $list[$element] ) |
|
416 |
? $list[$element] |
|
417 |
: array(); |
|
418 |
} |
|
419 |
||
420 |
/** |
|
421 |
* @todo Document it a bit |
|
422 |
* @return array |
|
423 |
*/ |
|
424 |
function setupAttributeWhitelist() { |
|
163 | 425 |
global $db, $session, $paths, $template, $plugins; |
1 | 426 |
$common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' ); |
427 |
$block = array_merge( $common, array( 'align' ) ); |
|
428 |
$tablealign = array( 'align', 'char', 'charoff', 'valign' ); |
|
429 |
$tablecell = array( 'abbr', |
|
430 |
'axis', |
|
431 |
'headers', |
|
432 |
'scope', |
|
433 |
'rowspan', |
|
434 |
'colspan', |
|
435 |
'nowrap', # deprecated |
|
436 |
'width', # deprecated |
|
437 |
'height', # deprecated |
|
438 |
'bgcolor' # deprecated |
|
439 |
); |
|
440 |
||
441 |
# Numbers refer to sections in HTML 4.01 standard describing the element. |
|
442 |
# See: http://www.w3.org/TR/html4/ |
|
443 |
$whitelist = array ( |
|
444 |
# 7.5.4 |
|
445 |
'div' => $block, |
|
446 |
'center' => $common, # deprecated |
|
447 |
'span' => $block, # ?? |
|
448 |
||
449 |
# 7.5.5 |
|
450 |
'h1' => $block, |
|
451 |
'h2' => $block, |
|
452 |
'h3' => $block, |
|
453 |
'h4' => $block, |
|
454 |
'h5' => $block, |
|
455 |
'h6' => $block, |
|
456 |
||
457 |
# 7.5.6 |
|
458 |
# address |
|
459 |
||
460 |
# 8.2.4 |
|
461 |
# bdo |
|
462 |
||
463 |
# 9.2.1 |
|
464 |
'em' => $common, |
|
465 |
'strong' => $common, |
|
466 |
'cite' => $common, |
|
467 |
# dfn |
|
468 |
'code' => $common, |
|
469 |
# samp |
|
470 |
# kbd |
|
471 |
'var' => $common, |
|
472 |
# abbr |
|
473 |
# acronym |
|
474 |
||
475 |
# 9.2.2 |
|
476 |
'blockquote' => array_merge( $common, array( 'cite' ) ), |
|
477 |
# q |
|
478 |
||
479 |
# 9.2.3 |
|
480 |
'sub' => $common, |
|
481 |
'sup' => $common, |
|
482 |
||
483 |
# 9.3.1 |
|
484 |
'p' => $block, |
|
485 |
||
486 |
# 9.3.2 |
|
487 |
'br' => array( 'id', 'class', 'title', 'style', 'clear' ), |
|
488 |
||
489 |
# 9.3.4 |
|
490 |
'pre' => array_merge( $common, array( 'width' ) ), |
|
491 |
||
492 |
# 9.4 |
|
493 |
'ins' => array_merge( $common, array( 'cite', 'datetime' ) ), |
|
494 |
'del' => array_merge( $common, array( 'cite', 'datetime' ) ), |
|
495 |
||
496 |
# 10.2 |
|
497 |
'ul' => array_merge( $common, array( 'type' ) ), |
|
498 |
'ol' => array_merge( $common, array( 'type', 'start' ) ), |
|
499 |
'li' => array_merge( $common, array( 'type', 'value' ) ), |
|
500 |
||
501 |
# 10.3 |
|
502 |
'dl' => $common, |
|
503 |
'dd' => $common, |
|
504 |
'dt' => $common, |
|
505 |
||
506 |
# 11.2.1 |
|
507 |
'table' => array_merge( $common, |
|
508 |
array( 'summary', 'width', 'border', 'frame', |
|
509 |
'rules', 'cellspacing', 'cellpadding', |
|
510 |
'align', 'bgcolor', |
|
511 |
) ), |
|
512 |
||
513 |
# 11.2.2 |
|
514 |
'caption' => array_merge( $common, array( 'align' ) ), |
|
515 |
||
516 |
# 11.2.3 |
|
517 |
'thead' => array_merge( $common, $tablealign ), |
|
518 |
'tfoot' => array_merge( $common, $tablealign ), |
|
519 |
'tbody' => array_merge( $common, $tablealign ), |
|
520 |
||
521 |
# 11.2.4 |
|
522 |
'colgroup' => array_merge( $common, array( 'span', 'width' ), $tablealign ), |
|
523 |
'col' => array_merge( $common, array( 'span', 'width' ), $tablealign ), |
|
524 |
||
525 |
# 11.2.5 |
|
526 |
'tr' => array_merge( $common, array( 'bgcolor' ), $tablealign ), |
|
527 |
||
528 |
# 11.2.6 |
|
529 |
'td' => array_merge( $common, $tablecell, $tablealign ), |
|
530 |
'th' => array_merge( $common, $tablecell, $tablealign ), |
|
531 |
||
532 |
# 12.2 |
|
533 |
# added by dan |
|
534 |
'a' => array_merge( $common, array( 'href', 'name' ) ), |
|
535 |
||
536 |
# 13.2 |
|
537 |
# added by dan |
|
538 |
'img' => array_merge( $common, array( 'src', 'width', 'height', 'alt' ) ), |
|
539 |
||
540 |
# 15.2.1 |
|
541 |
'tt' => $common, |
|
542 |
'b' => $common, |
|
543 |
'i' => $common, |
|
544 |
'big' => $common, |
|
545 |
'small' => $common, |
|
546 |
'strike' => $common, |
|
547 |
's' => $common, |
|
548 |
'u' => $common, |
|
549 |
||
550 |
# 15.2.2 |
|
551 |
'font' => array_merge( $common, array( 'size', 'color', 'face' ) ), |
|
552 |
# basefont |
|
553 |
||
554 |
# 15.3 |
|
555 |
'hr' => array_merge( $common, array( 'noshade', 'size', 'width' ) ), |
|
556 |
||
557 |
# XHTML Ruby annotation text module, simple ruby only. |
|
558 |
# http://www.w3c.org/TR/ruby/ |
|
559 |
'ruby' => $common, |
|
560 |
# rbc |
|
561 |
# rtc |
|
562 |
'rb' => $common, |
|
563 |
'rt' => $common, #array_merge( $common, array( 'rbspan' ) ), |
|
564 |
'rp' => $common, |
|
565 |
||
566 |
# For compatibility with the XHTML parser. |
|
567 |
'nowiki' => array(), |
|
568 |
'noinclude' => array(), |
|
569 |
'nodisplay' => array(), |
|
570 |
||
571 |
# XHTML stuff |
|
572 |
'acronym' => $common |
|
573 |
); |
|
163 | 574 |
|
575 |
// custom tags can be added by plugins |
|
576 |
$code = $plugins->setHook('html_attribute_whitelist'); |
|
577 |
foreach ( $code as $cmd ) |
|
578 |
{ |
|
579 |
eval($cmd); |
|
580 |
} |
|
581 |
||
1 | 582 |
return $whitelist; |
583 |
} |
|
584 |
||
585 |
/** |
|
586 |
* Given a value escape it so that it can be used in an id attribute and |
|
587 |
* return it, this does not validate the value however (see first link) |
|
588 |
* |
|
589 |
* @link http://www.w3.org/TR/html401/types.html#type-name Valid characters |
|
590 |
* in the id and |
|
591 |
* name attributes |
|
592 |
* @link http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute |
|
593 |
* |
|
594 |
* @bug 4461 |
|
595 |
* |
|
596 |
* @static |
|
597 |
* |
|
598 |
* @param string $id |
|
599 |
* @return string |
|
600 |
*/ |
|
601 |
function escapeId( $id ) { |
|
602 |
static $replace = array( |
|
603 |
'%3A' => ':', |
|
604 |
'%' => '.' |
|
605 |
); |
|
606 |
||
607 |
$id = urlencode( decodeCharReferences( strtr( $id, ' ', '_' ) ) ); |
|
608 |
||
609 |
return str_replace( array_keys( $replace ), array_values( $replace ), $id ); |
|
610 |
} |
|
611 |
||
612 |
/** |
|
613 |
* More or less "markup-safe" explode() |
|
614 |
* Ignores any instances of the separator inside <...> |
|
615 |
* @param string $separator |
|
616 |
* @param string $text |
|
617 |
* @return array |
|
618 |
*/ |
|
619 |
function wfExplodeMarkup( $separator, $text ) { |
|
620 |
$placeholder = "\x00"; |
|
621 |
||
622 |
// Just in case... |
|
623 |
$text = str_replace( $placeholder, '', $text ); |
|
624 |
||
625 |
// Trim stuff |
|
626 |
$replacer = new ReplacerCallback( $separator, $placeholder ); |
|
627 |
$cleaned = preg_replace_callback( '/(<.*?>)/', array( $replacer, 'go' ), $text ); |
|
628 |
||
629 |
$items = explode( $separator, $cleaned ); |
|
630 |
foreach( $items as $i => $str ) { |
|
631 |
$items[$i] = str_replace( $placeholder, $separator, $str ); |
|
632 |
} |
|
633 |
||
634 |
return $items; |
|
635 |
} |
|
636 |
||
637 |
class ReplacerCallback { |
|
638 |
function ReplacerCallback( $from, $to ) { |
|
639 |
$this->from = $from; |
|
640 |
$this->to = $to; |
|
641 |
} |
|
642 |
||
643 |
function go( $matches ) { |
|
644 |
return str_replace( $this->from, $this->to, $matches[1] ); |
|
645 |
} |
|
646 |
} |
|
647 |
||
648 |
/** |
|
649 |
* Return an associative array of attribute names and values from |
|
650 |
* a partial tag string. Attribute names are forces to lowercase, |
|
651 |
* character references are decoded to UTF-8 text. |
|
652 |
* |
|
653 |
* @param string |
|
654 |
* @return array |
|
655 |
*/ |
|
656 |
function decodeTagAttributes( $text ) { |
|
657 |
$attribs = array(); |
|
658 |
||
659 |
if( trim( $text ) == '' ) { |
|
660 |
return $attribs; |
|
661 |
} |
|
662 |
||
663 |
$pairs = array(); |
|
664 |
if( !preg_match_all( |
|
665 |
MW_ATTRIBS_REGEX, |
|
666 |
$text, |
|
667 |
$pairs, |
|
668 |
PREG_SET_ORDER ) ) { |
|
669 |
return $attribs; |
|
670 |
} |
|
671 |
||
672 |
foreach( $pairs as $set ) { |
|
673 |
$attribute = strtolower( $set[1] ); |
|
674 |
$value = getTagAttributeCallback( $set ); |
|
675 |
||
676 |
// Normalize whitespace |
|
677 |
$value = preg_replace( '/[\t\r\n ]+/', ' ', $value ); |
|
678 |
$value = trim( $value ); |
|
679 |
||
680 |
// Decode character references |
|
681 |
$attribs[$attribute] = decodeCharReferences( $value ); |
|
682 |
} |
|
683 |
return $attribs; |
|
684 |
} |
|
685 |
||
686 |
/** |
|
687 |
* Pick the appropriate attribute value from a match set from the |
|
688 |
* MW_ATTRIBS_REGEX matches. |
|
689 |
* |
|
690 |
* @param array $set |
|
691 |
* @return string |
|
692 |
* @access private |
|
693 |
*/ |
|
694 |
function getTagAttributeCallback( $set ) { |
|
695 |
if( isset( $set[6] ) ) { |
|
696 |
# Illegal #XXXXXX color with no quotes. |
|
697 |
return $set[6]; |
|
698 |
} elseif( isset( $set[5] ) ) { |
|
699 |
# No quotes. |
|
700 |
return $set[5]; |
|
701 |
} elseif( isset( $set[4] ) ) { |
|
702 |
# Single-quoted |
|
703 |
return $set[4]; |
|
704 |
} elseif( isset( $set[3] ) ) { |
|
705 |
# Double-quoted |
|
706 |
return $set[3]; |
|
707 |
} elseif( !isset( $set[2] ) ) { |
|
708 |
# In XHTML, attributes must have a value. |
|
709 |
# For 'reduced' form, return explicitly the attribute name here. |
|
710 |
return $set[1]; |
|
711 |
} else { |
|
712 |
die_friendly('Parser error', "<p>Tag conditions not met. This should never happen and is a bug.</p>" ); |
|
713 |
} |
|
714 |
} |
|
715 |
||
716 |
/** |
|
717 |
* Strips and renders nowiki, pre, math, hiero |
|
718 |
* If $render is set, performs necessary rendering operations on plugins |
|
719 |
* Returns the text, and fills an array with data needed in unstrip() |
|
720 |
* If the $state is already a valid strip state, it adds to the state |
|
721 |
* |
|
722 |
* @param bool $stripcomments when set, HTML comments <!-- like this --> |
|
723 |
* will be stripped in addition to other tags. This is important |
|
724 |
* for section editing, where these comments cause confusion when |
|
725 |
* counting the sections in the wikisource |
|
726 |
* |
|
727 |
* @param array dontstrip contains tags which should not be stripped; |
|
728 |
* used to prevent stipping of <gallery> when saving (fixes bug 2700) |
|
729 |
* |
|
730 |
* @access private |
|
731 |
*/ |
|
732 |
function mwStrip( $text, &$state, $stripcomments = false , $dontstrip = array () ) { |
|
733 |
global $wgRandomKey; |
|
734 |
$render = true; |
|
735 |
||
736 |
$wgRandomKey = "\x07UNIQ" . dechex(mt_rand(0, 0x7fffffff)) . dechex(mt_rand(0, 0x7fffffff)); |
|
737 |
$uniq_prefix =& $wgRandomKey; |
|
738 |
$commentState = array(); |
|
739 |
||
740 |
$elements = array( 'nowiki', 'gallery' ); |
|
741 |
||
742 |
# Removing $dontstrip tags from $elements list (currently only 'gallery', fixing bug 2700) |
|
743 |
foreach ( $elements AS $k => $v ) { |
|
744 |
if ( !in_array ( $v , $dontstrip ) ) continue; |
|
745 |
unset ( $elements[$k] ); |
|
746 |
} |
|
747 |
||
748 |
$matches = array(); |
|
749 |
$text = extractTagsAndParams( $elements, $text, $matches, $uniq_prefix ); |
|
750 |
||
751 |
foreach( $matches as $marker => $data ) { |
|
752 |
list( $element, $content, $params, $tag ) = $data; |
|
753 |
if( $render ) { |
|
754 |
$tagName = strtolower( $element ); |
|
755 |
switch( $tagName ) { |
|
756 |
case '!--': |
|
757 |
// Comment |
|
758 |
if( substr( $tag, -3 ) == '-->' ) { |
|
759 |
$output = $tag; |
|
760 |
} else { |
|
761 |
// Unclosed comment in input. |
|
762 |
// Close it so later stripping can remove it |
|
763 |
$output = "$tag-->"; |
|
764 |
} |
|
765 |
break; |
|
766 |
case 'html': |
|
767 |
if( $wgRawHtml ) { |
|
768 |
$output = $content; |
|
769 |
break; |
|
770 |
} |
|
771 |
// Shouldn't happen otherwise. :) |
|
772 |
case 'nowiki': |
|
773 |
$output = wfEscapeHTMLTagsOnly( $content ); |
|
774 |
break; |
|
775 |
default: |
|
776 |
} |
|
777 |
} else { |
|
778 |
// Just stripping tags; keep the source |
|
779 |
$output = $tag; |
|
780 |
} |
|
781 |
||
782 |
// Unstrip the output, because unstrip() is no longer recursive so |
|
783 |
// it won't do it itself |
|
784 |
$output = unstrip( $output, $state ); |
|
785 |
||
786 |
if( !$stripcomments && $element == '!--' ) { |
|
787 |
$commentState[$marker] = $output; |
|
788 |
} elseif ( $element == 'html' || $element == 'nowiki' ) { |
|
789 |
$state['nowiki'][$marker] = $output; |
|
790 |
} else { |
|
791 |
$state['general'][$marker] = $output; |
|
792 |
} |
|
793 |
} |
|
794 |
||
795 |
# Unstrip comments unless explicitly told otherwise. |
|
796 |
# (The comments are always stripped prior to this point, so as to |
|
797 |
# not invoke any extension tags / parser hooks contained within |
|
798 |
# a comment.) |
|
799 |
if ( !$stripcomments ) { |
|
800 |
// Put them all back and forget them |
|
801 |
$text = strtr( $text, $commentState ); |
|
802 |
} |
|
803 |
||
804 |
return $text; |
|
805 |
} |
|
806 |
||
807 |
/** |
|
808 |
* Replaces all occurrences of HTML-style comments and the given tags |
|
809 |
* in the text with a random marker and returns teh next text. The output |
|
810 |
* parameter $matches will be an associative array filled with data in |
|
811 |
* the form: |
|
812 |
* 'UNIQ-xxxxx' => array( |
|
813 |
* 'element', |
|
814 |
* 'tag content', |
|
815 |
* array( 'param' => 'x' ), |
|
816 |
* '<element param="x">tag content</element>' ) ) |
|
817 |
* |
|
818 |
* @param $elements list of element names. Comments are always extracted. |
|
819 |
* @param $text Source text string. |
|
820 |
* @param $uniq_prefix |
|
821 |
* |
|
822 |
* @access private |
|
823 |
* @static |
|
824 |
*/ |
|
825 |
function extractTagsAndParams($elements, $text, &$matches, $uniq_prefix = ''){ |
|
826 |
static $n = 1; |
|
827 |
$stripped = ''; |
|
828 |
$matches = array(); |
|
829 |
||
830 |
$taglist = implode( '|', $elements ); |
|
831 |
$start = "/<($taglist)(\\s+[^>]*?|\\s*?)(\/?>)|<(!--)/i"; |
|
832 |
||
833 |
while ( '' != $text ) { |
|
834 |
$p = preg_split( $start, $text, 2, PREG_SPLIT_DELIM_CAPTURE ); |
|
835 |
$stripped .= $p[0]; |
|
836 |
if( count( $p ) < 5 ) { |
|
837 |
break; |
|
838 |
} |
|
839 |
if( count( $p ) > 5 ) { |
|
840 |
// comment |
|
841 |
$element = $p[4]; |
|
842 |
$attributes = ''; |
|
843 |
$close = ''; |
|
844 |
$inside = $p[5]; |
|
845 |
} else { |
|
846 |
// tag |
|
847 |
$element = $p[1]; |
|
848 |
$attributes = $p[2]; |
|
849 |
$close = $p[3]; |
|
850 |
$inside = $p[4]; |
|
851 |
} |
|
852 |
||
853 |
$marker = "$uniq_prefix-$element-" . sprintf('%08X', $n++) . '-QINU'; |
|
854 |
$stripped .= $marker; |
|
855 |
||
856 |
if ( $close === '/>' ) { |
|
857 |
// Empty element tag, <tag /> |
|
858 |
$content = null; |
|
859 |
$text = $inside; |
|
860 |
$tail = null; |
|
861 |
} else { |
|
862 |
if( $element == '!--' ) { |
|
863 |
$end = '/(-->)/'; |
|
864 |
} else { |
|
865 |
$end = "/(<\\/$element\\s*>)/i"; |
|
866 |
} |
|
867 |
$q = preg_split( $end, $inside, 2, PREG_SPLIT_DELIM_CAPTURE ); |
|
868 |
$content = $q[0]; |
|
869 |
if( count( $q ) < 3 ) { |
|
870 |
# No end tag -- let it run out to the end of the text. |
|
871 |
$tail = ''; |
|
872 |
$text = ''; |
|
873 |
} else { |
|
874 |
$tail = $q[1]; |
|
875 |
$text = $q[2]; |
|
876 |
} |
|
877 |
} |
|
878 |
||
879 |
$matches[$marker] = array( $element, |
|
880 |
$content, |
|
881 |
decodeTagAttributes( $attributes ), |
|
882 |
"<$element$attributes$close$content$tail" ); |
|
883 |
} |
|
884 |
return $stripped; |
|
885 |
} |
|
886 |
||
887 |
/** |
|
888 |
* Escape html tags |
|
889 |
* Basically replacing " > and < with HTML entities ( ", >, <) |
|
890 |
* |
|
891 |
* @param $in String: text that might contain HTML tags. |
|
892 |
* @return string Escaped string |
|
893 |
*/ |
|
894 |
function wfEscapeHTMLTagsOnly( $in ) { |
|
895 |
return str_replace( |
|
896 |
array( '"', '>', '<' ), |
|
897 |
array( '"', '>', '<' ), |
|
898 |
$in ); |
|
899 |
} |
|
900 |
||
901 |
/** |
|
902 |
* Restores pre, math, and other extensions removed by strip() |
|
903 |
* |
|
904 |
* always call unstripNoWiki() after this one |
|
905 |
* @private |
|
906 |
*/ |
|
907 |
function unstrip( $text, &$state ) { |
|
908 |
if ( !isset( $state['general'] ) ) { |
|
909 |
return $text; |
|
910 |
} |
|
911 |
||
912 |
# TODO: good candidate for FSS |
|
913 |
$text = strtr( $text, $state['general'] ); |
|
914 |
||
915 |
return $text; |
|
916 |
} |
|
917 |
||
918 |
/** |
|
919 |
* Return UTF-8 string for a codepoint if that is a valid |
|
920 |
* character reference, otherwise U+FFFD REPLACEMENT CHARACTER. |
|
921 |
* @param int $codepoint |
|
922 |
* @return string |
|
923 |
* @private |
|
924 |
*/ |
|
925 |
function decodeChar( $codepoint ) { |
|
926 |
if( validateCodepoint( $codepoint ) ) { |
|
927 |
return codepointToUtf8( $codepoint ); |
|
928 |
} else { |
|
929 |
return UTF8_REPLACEMENT; |
|
930 |
} |
|
931 |
} |
|
932 |
||
933 |
/** |
|
934 |
* If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, |
|
935 |
* return the UTF-8 encoding of that character. Otherwise, returns |
|
936 |
* pseudo-entity source (eg &foo;) |
|
937 |
* |
|
938 |
* @param string $name |
|
939 |
* @return string |
|
940 |
*/ |
|
941 |
function decodeEntity( $name ) { |
|
942 |
global $wgHtmlEntities; |
|
943 |
if( isset( $wgHtmlEntities[$name] ) ) { |
|
944 |
return codepointToUtf8( $wgHtmlEntities[$name] ); |
|
945 |
} else { |
|
946 |
return "&$name;"; |
|
947 |
} |
|
948 |
} |
|
949 |
||
950 |
/** |
|
951 |
* Returns true if a given Unicode codepoint is a valid character in XML. |
|
952 |
* @param int $codepoint |
|
953 |
* @return bool |
|
954 |
*/ |
|
955 |
function validateCodepoint( $codepoint ) { |
|
956 |
return ($codepoint == 0x09) |
|
957 |
|| ($codepoint == 0x0a) |
|
958 |
|| ($codepoint == 0x0d) |
|
959 |
|| ($codepoint >= 0x20 && $codepoint <= 0xd7ff) |
|
960 |
|| ($codepoint >= 0xe000 && $codepoint <= 0xfffd) |
|
961 |
|| ($codepoint >= 0x10000 && $codepoint <= 0x10ffff); |
|
962 |
} |
|
963 |
||
964 |
/** |
|
965 |
* Return UTF-8 sequence for a given Unicode code point. |
|
966 |
* May die if fed out of range data. |
|
967 |
* |
|
968 |
* @param $codepoint Integer: |
|
969 |
* @return String |
|
970 |
* @public |
|
971 |
*/ |
|
972 |
function codepointToUtf8( $codepoint ) { |
|
973 |
if($codepoint < 0x80) return chr($codepoint); |
|
974 |
if($codepoint < 0x800) return chr($codepoint >> 6 & 0x3f | 0xc0) . |
|
975 |
chr($codepoint & 0x3f | 0x80); |
|
976 |
if($codepoint < 0x10000) return chr($codepoint >> 12 & 0x0f | 0xe0) . |
|
977 |
chr($codepoint >> 6 & 0x3f | 0x80) . |
|
978 |
chr($codepoint & 0x3f | 0x80); |
|
979 |
if($codepoint < 0x110000) return chr($codepoint >> 18 & 0x07 | 0xf0) . |
|
980 |
chr($codepoint >> 12 & 0x3f | 0x80) . |
|
981 |
chr($codepoint >> 6 & 0x3f | 0x80) . |
|
982 |
chr($codepoint & 0x3f | 0x80); |
|
983 |
||
984 |
echo "Asked for code outside of range ($codepoint)\n"; |
|
985 |
die( -1 ); |
|
986 |
} |
|
987 |
||
988 |
/** |
|
989 |
* @param string $matches |
|
990 |
* @return string |
|
991 |
*/ |
|
992 |
function decodeCharReferencesCallback( $matches ) { |
|
993 |
if( $matches[1] != '' ) { |
|
24 | 994 |
return decodeEntity( $matches[1] ); |
1 | 995 |
} elseif( $matches[2] != '' ) { |
24 | 996 |
return decodeChar( intval( $matches[2] ) ); |
1 | 997 |
} elseif( $matches[3] != '' ) { |
24 | 998 |
return decodeChar( hexdec( $matches[3] ) ); |
1 | 999 |
} elseif( $matches[4] != '' ) { |
24 | 1000 |
return decodeChar( hexdec( $matches[4] ) ); |
1 | 1001 |
} |
1002 |
# Last case should be an ampersand by itself |
|
1003 |
return $matches[0]; |
|
1004 |
} |
|
1005 |
||
1006 |
?> |