Enano CMS (1.1.x): comparison includes/wikiengine/TagSanitizer.php

equal deleted inserted replaced

-:de56132c008d
+:bdac73ed481e
 |&\#x([0-9A-Za-z]+);
 |&\#X([0-9A-Za-z]+);
 |(&)/x' );
 define( 'MW_ATTRIBS_REGEX',
-"/(?:^|$space)($attrib+)
+	"/(?:^|$space)($attrib+)
-($space*=$space*
+		($space*=$space*
-(?:
+		(?:
-# The attribute value: quoted or alone
+		# The attribute value: quoted or alone
-\"([^<\"]*)\"
+			\"([^<\"]*)\"
-| '([^<']*)'
+		| '([^<']*)'
-|  ([a-zA-Z0-9!#$%&()*,\\-.\\/:;<>?@[\\]^_`{|}~]+)
+		|  ([a-zA-Z0-9!#$%&()*,\\-.\\/:;<>?@[\\]^_`{|}~]+)
-|  (\#[0-9a-fA-F]+) # Technically wrong, but lots of
+		|  (\#[0-9a-fA-F]+) # Technically wrong, but lots of
-# colors are specified like this.
+							# colors are specified like this.
-# We'll be normalizing it.
+							# We'll be normalizing it.
-)
+		)
-)?(?=$space|\$)/sx" );
+		)?(?=$space|\$)/sx" );
 /**
 * Take a tag soup fragment listing an HTML element's attributes
 * and normalize it to well-formed XML, discarding unwanted attributes.
 * Output is safe for further wikitext processing, with escaping of
 * @param string $text
 * @param string $element
 * @return string
 */
 function fixTagAttributes( $text, $element ) {
-if( trim( $text ) == '' ) {
+	if( trim( $text ) == '' ) {
-return '';
+		return '';
-}
+	}
-$stripped = validateTagAttributes(
+	$stripped = validateTagAttributes(
-decodeTagAttributes( $text ), $element );
+		decodeTagAttributes( $text ), $element );
-$attribs = array();
+	$attribs = array();
-foreach( $stripped as $attribute => $value ) {
+	foreach( $stripped as $attribute => $value ) {
-$encAttribute = htmlspecialchars( $attribute );
+		$encAttribute = htmlspecialchars( $attribute );
-$encValue = safeEncodeAttribute( $value );
+		$encValue = safeEncodeAttribute( $value );
-$attribs[] = "$encAttribute=".'"'."$encValue".'"'.""; // "
+		$attribs[] = "$encAttribute=".'"'."$encValue".'"'.""; // "
-}
+	}
-return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
+	return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
 }
 /**
 * Encode an attribute value for HTML tags, with extra armoring
 * against further wiki processing.
 * @param $text
 * @return HTML-encoded text fragment
 */
 function safeEncodeAttribute( $text ) {
-$encValue= encodeAttribute( $text );
+	$encValue= encodeAttribute( $text );
-# Templates and links may be expanded in later parsing,
+	# Templates and links may be expanded in later parsing,
-# creating invalid or dangerous output. Suppress this.
+	# creating invalid or dangerous output. Suppress this.
-$encValue = strtr( $encValue, array(
+	$encValue = strtr( $encValue, array(
-'<'    => '&lt;',   // This should never happen,
+		'<'    => '&lt;',   // This should never happen,
-'>'    => '&gt;',   // we've received invalid input
+		'>'    => '&gt;',   // we've received invalid input
-'"'    => '&quot;', // which should have been escaped.
+		'"'    => '&quot;', // which should have been escaped.
-'{'    => '&#123;',
+		'{'    => '&#123;',
-'['    => '&#91;',
+		'['    => '&#91;',
-"''"   => '&#39;&#39;',
+		"''"   => '&#39;&#39;',
-'ISBN' => '&#73;SBN',
+		'ISBN' => '&#73;SBN',
-'RFC'  => '&#82;FC',
+		'RFC'  => '&#82;FC',
-'PMID' => '&#80;MID',
+		'PMID' => '&#80;MID',
-'|'    => '&#124;',
+		'|'    => '&#124;',
-'__'   => '&#95;_',
+		'__'   => '&#95;_',
-) );
+	) );
-return $encValue;
+	return $encValue;
 }
 /**
 * Encode an attribute value for HTML output.
 * @param $text
 * @return HTML-encoded text fragment
 */
 function encodeAttribute( $text ) {
-// In Enano 1.0.3, added this cheapo hack to keep ampersands
+	// In Enano 1.0.3, added this cheapo hack to keep ampersands
-// from being double-sanitized. Thanks to markybob from #deluge.
+	// from being double-sanitized. Thanks to markybob from #deluge.
-// htmlspecialchars() the "manual" way
+	// htmlspecialchars() the "manual" way
-$encValue = strtr( $text, array(
+	$encValue = strtr( $text, array(
-'&amp;'  => '&',
+		'&amp;'  => '&',
-'&quot;' => '"',
+		'&quot;' => '"',
-'&lt;'   => '<',
+		'&lt;'   => '<',
-'&gt;'   => '>',
+		'&gt;'   => '>',
-'&#039;' => "'"
+		'&#039;' => "'"
-) );
+	) );
-$encValue = strtr( $text, array(
+	$encValue = strtr( $text, array(
-'&' => '&amp;',
+		'&' => '&amp;',
-'"' => '&quot;',
+		'"' => '&quot;',
-'<' => '&lt;',
+		'<' => '&lt;',
-'>' => '&gt;',
+		'>' => '&gt;',
-"'" => '&#039;'
+		"'" => '&#039;'
-) );
+	) );
-// Whitespace is normalized during attribute decoding,
+	// Whitespace is normalized during attribute decoding,
-// so if we've been passed non-spaces we must encode them
+	// so if we've been passed non-spaces we must encode them
-// ahead of time or they won't be preserved.
+	// ahead of time or they won't be preserved.
-$encValue = strtr( $encValue, array(
+	$encValue = strtr( $encValue, array(
-"\n" => '&#10;',
+		"\n" => '&#10;',
-"\r" => '&#13;',
+		"\r" => '&#13;',
-"\t" => '&#9;',
+		"\t" => '&#9;',
-) );
+	) );
-return $encValue;
+	return $encValue;
 }
 function unstripForHTML( $text ) {
-global $mStripState;
+	global $mStripState;
-$text = unstrip( $text, $mStripState );
+	$text = unstrip( $text, $mStripState );
-$text = unstripNoWiki( $text, $mStripState );
+	$text = unstripNoWiki( $text, $mStripState );
-return $text;
+	return $text;
 }
 /**
 * Always call this after unstrip() to preserve the order
 *
 * @private
 */
 function unstripNoWiki( $text, &$state ) {
-if ( !isset( $state['nowiki'] ) ) {
+	if ( !isset( $state['nowiki'] ) ) {
-return $text;
+		return $text;
-}
+	}
-# TODO: good candidate for FSS
+	# TODO: good candidate for FSS
-$text = strtr( $text, $state['nowiki'] );
+	$text = strtr( $text, $state['nowiki'] );
-return $text;
+	return $text;
 }
 /**
 * Take an array of attribute names and values and normalize or discard
 * illegal values for the given element type.
 *
 * @todo Check for legal values where the DTD limits things.
 * @todo Check for unique id attribute :P
 */
 function validateTagAttributes( $attribs, $element ) {
-$whitelist = array_flip( attributeWhitelist( $element ) );
+	$whitelist = array_flip( attributeWhitelist( $element ) );
-$out = array();
+	$out = array();
-foreach( $attribs as $attribute => $value ) {
+	foreach( $attribs as $attribute => $value ) {
-if( !isset( $whitelist[$attribute] ) ) {
+		if( !isset( $whitelist[$attribute] ) ) {
-continue;
+			continue;
-}
+		}
-# Strip javascript "expression" from stylesheets.
+		# Strip javascript "expression" from stylesheets.
-# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
+		# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
-if( $attribute == 'style' ) {
+		if( $attribute == 'style' ) {
-$value = checkCss( $value );
+			$value = checkCss( $value );
-if( $value === false ) {
+			if( $value === false ) {
-# haxx0r
+				# haxx0r
-continue;
+				continue;
-}
+			}
-}
+		}
-if ( $attribute === 'id' )
+		if ( $attribute === 'id' )
-$value = escapeId( $value );
+			$value = escapeId( $value );
-// If this attribute was previously set, override it.
+		// If this attribute was previously set, override it.
-// Output should only have one attribute of each name.
+		// Output should only have one attribute of each name.
-$out[$attribute] = $value;
+		$out[$attribute] = $value;
-}
+	}
-return $out;
+	return $out;
 }
 /**
 * Pick apart some CSS and check it for forbidden or unsafe structures.
 * Returns a sanitized string, or false if it was just too evil.
 *
 * @param string $value
 * @return mixed
 */
 function checkCss( $value ) {
-$stripped = decodeCharReferences( $value );
+	$stripped = decodeCharReferences( $value );
-// Remove any comments; IE gets token splitting wrong
+	// Remove any comments; IE gets token splitting wrong
-$stripped = preg_replace( '!/\\*.*?\\*/!S', '', $stripped );
+	$stripped = preg_replace( '!/\\*.*?\\*/!S', '', $stripped );
-$value = $stripped;
+	$value = $stripped;
-// ... and continue checks
+	// ... and continue checks
-$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
+	$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
-'codepointToUtf8(hexdec("$1"))', $stripped );
+		'codepointToUtf8(hexdec("$1"))', $stripped );
-$stripped = str_replace( '\\', '', $stripped );
+	$stripped = str_replace( '\\', '', $stripped );
-if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
+	if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
-$stripped ) ) {
+			$stripped ) ) {
-# haxx0r
+		# haxx0r
-return false;
+		return false;
-}
+	}
-return $value;
+	return $value;
 }
 /**
 * Decode any character references, numeric or named entities,
 * in the text and return a UTF-8 string.
 * @return string
 * @access public
 * @static
 */
 function decodeCharReferences( $text ) {
-return preg_replace_callback(
+	return preg_replace_callback(
-MW_CHAR_REFS_REGEX,
+		MW_CHAR_REFS_REGEX,
-'decodeCharReferencesCallback',
+		'decodeCharReferencesCallback',
-$text );
+		$text );
 }
 /**
 * Fetch the whitelist of acceptable attributes for a given
 * element name.
 *
 * @param string $element
 * @return array
 */
 function attributeWhitelist( $element ) {
-static $list;
+	static $list;
-if( !isset( $list ) ) {
+	if( !isset( $list ) ) {
-$list = setupAttributeWhitelist();
+		$list = setupAttributeWhitelist();
-}
+	}
-return isset( $list[$element] )
+	return isset( $list[$element] )
-? $list[$element]
+		? $list[$element]
-: array();
+		: array();
 }
 /**
 * @todo Document it a bit
 * @return array
 */
 function setupAttributeWhitelist() {
-global $db, $session, $paths, $template, $plugins;
+	global $db, $session, $paths, $template, $plugins;
-$common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
+	$common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
-$block = array_merge( $common, array( 'align' ) );
+	$block = array_merge( $common, array( 'align' ) );
-$tablealign = array( 'align', 'char', 'charoff', 'valign' );
+	$tablealign = array( 'align', 'char', 'charoff', 'valign' );
-$tablecell = array( 'abbr',
+	$tablecell = array( 'abbr',
-'axis',
+											'axis',
-'headers',
+											'headers',
-'scope',
+											'scope',
-'rowspan',
+											'rowspan',
-'colspan',
+											'colspan',
-'nowrap', # deprecated
+											'nowrap', # deprecated
-'width',  # deprecated
+											'width',  # deprecated
-'height', # deprecated
+											'height', # deprecated
-'bgcolor' # deprecated
+											'bgcolor' # deprecated
-);
+											);
-# Numbers refer to sections in HTML 4.01 standard describing the element.
+	# Numbers refer to sections in HTML 4.01 standard describing the element.
-# See: http://www.w3.org/TR/html4/
+	# See: http://www.w3.org/TR/html4/
-$whitelist = array (
+	$whitelist = array (
-# 7.5.4
+		# 7.5.4
-'div'        => $block,
+		'div'        => $block,
-'center'     => $common, # deprecated
+		'center'     => $common, # deprecated
-'span'       => $block, # ??
+		'span'       => $block, # ??
-# 7.5.5
+		# 7.5.5
-'h1'         => $block,
+		'h1'         => $block,
-'h2'         => $block,
+		'h2'         => $block,
-'h3'         => $block,
+		'h3'         => $block,
-'h4'         => $block,
+		'h4'         => $block,
-'h5'         => $block,
+		'h5'         => $block,
-'h6'         => $block,
+		'h6'         => $block,
-# 7.5.6
+		# 7.5.6
-# address
+		# address
-# 8.2.4
+		# 8.2.4
-# bdo
+		# bdo
-# 9.2.1
+		# 9.2.1
-'em'         => $common,
+		'em'         => $common,
-'strong'     => $common,
+		'strong'     => $common,
-'cite'       => $common,
+		'cite'       => $common,
-# dfn
+		# dfn
-'code'       => $common,
+		'code'       => $common,
-# samp
+		# samp
-# kbd
+		# kbd
-'var'        => $common,
+		'var'        => $common,
-# abbr
+		# abbr
-# acronym
+		# acronym
-# 9.2.2
+		# 9.2.2
-'blockquote' => array_merge( $common, array( 'cite' ) ),
+		'blockquote' => array_merge( $common, array( 'cite' ) ),
-# q
+		# q
-# 9.2.3
+		# 9.2.3
-'sub'        => $common,
+		'sub'        => $common,
-'sup'        => $common,
+		'sup'        => $common,
-# 9.3.1
+		# 9.3.1
-'p'          => $block,
+		'p'          => $block,
-# 9.3.2
+		# 9.3.2
-'br'         => array( 'id', 'class', 'title', 'style', 'clear' ),
+		'br'         => array( 'id', 'class', 'title', 'style', 'clear' ),
-# 9.3.4
+		# 9.3.4
-'pre'        => array_merge( $common, array( 'width' ) ),
+		'pre'        => array_merge( $common, array( 'width' ) ),
-# 9.4
+		# 9.4
-'ins'        => array_merge( $common, array( 'cite', 'datetime' ) ),
+		'ins'        => array_merge( $common, array( 'cite', 'datetime' ) ),
-'del'        => array_merge( $common, array( 'cite', 'datetime' ) ),
+		'del'        => array_merge( $common, array( 'cite', 'datetime' ) ),
-# 10.2
+		# 10.2
-'ul'         => array_merge( $common, array( 'type' ) ),
+		'ul'         => array_merge( $common, array( 'type' ) ),
-'ol'         => array_merge( $common, array( 'type', 'start' ) ),
+		'ol'         => array_merge( $common, array( 'type', 'start' ) ),
-'li'         => array_merge( $common, array( 'type', 'value' ) ),
+		'li'         => array_merge( $common, array( 'type', 'value' ) ),
-# 10.3
+		# 10.3
-'dl'         => $common,
+		'dl'         => $common,
-'dd'         => $common,
+		'dd'         => $common,
-'dt'         => $common,
+		'dt'         => $common,
-# 11.2.1
+		# 11.2.1
-'table'      => array_merge( $common,
+		'table'      => array_merge( $common,
-array( 'summary', 'width', 'border', 'frame',
+							array( 'summary', 'width', 'border', 'frame',
-'rules', 'cellspacing', 'cellpadding',
+									'rules', 'cellspacing', 'cellpadding',
-'align', 'bgcolor',
+									'align', 'bgcolor',
-) ),
+							) ),
-# 11.2.2
+		# 11.2.2
-'caption'    => array_merge( $common, array( 'align' ) ),
+		'caption'    => array_merge( $common, array( 'align' ) ),
-# 11.2.3
+		# 11.2.3
-'thead'      => array_merge( $common, $tablealign ),
+		'thead'      => array_merge( $common, $tablealign ),
-'tfoot'      => array_merge( $common, $tablealign ),
+		'tfoot'      => array_merge( $common, $tablealign ),
-'tbody'      => array_merge( $common, $tablealign ),
+		'tbody'      => array_merge( $common, $tablealign ),
-# 11.2.4
+		# 11.2.4
-'colgroup'   => array_merge( $common, array( 'span', 'width' ), $tablealign ),
+		'colgroup'   => array_merge( $common, array( 'span', 'width' ), $tablealign ),
-'col'        => array_merge( $common, array( 'span', 'width' ), $tablealign ),
+		'col'        => array_merge( $common, array( 'span', 'width' ), $tablealign ),
-# 11.2.5
+		# 11.2.5
-'tr'         => array_merge( $common, array( 'bgcolor' ), $tablealign ),
+		'tr'         => array_merge( $common, array( 'bgcolor' ), $tablealign ),
-# 11.2.6
+		# 11.2.6
-'td'         => array_merge( $common, $tablecell, $tablealign ),
+		'td'         => array_merge( $common, $tablecell, $tablealign ),
-'th'         => array_merge( $common, $tablecell, $tablealign ),
+		'th'         => array_merge( $common, $tablecell, $tablealign ),
-# 12.2
+		# 12.2
-# added by dan
+		# added by dan
-'a'          => array_merge( $common, array( 'href', 'name' ) ),
+		'a'          => array_merge( $common, array( 'href', 'name' ) ),
-# 13.2
+		# 13.2
-# added by dan
+		# added by dan
-'img'        => array_merge( $common, array( 'src', 'width', 'height', 'alt' ) ),
+		'img'        => array_merge( $common, array( 'src', 'width', 'height', 'alt' ) ),
-# 15.2.1
+		# 15.2.1
-'tt'         => $common,
+		'tt'         => $common,
-'b'          => $common,
+		'b'          => $common,
-'i'          => $common,
+		'i'          => $common,
-'big'        => $common,
+		'big'        => $common,
-'small'      => $common,
+		'small'      => $common,
-'strike'     => $common,
+		'strike'     => $common,
-'s'          => $common,
+		's'          => $common,
-'u'          => $common,
+		'u'          => $common,
-# 15.2.2
+		# 15.2.2
-'font'       => array_merge( $common, array( 'size', 'color', 'face' ) ),
+		'font'       => array_merge( $common, array( 'size', 'color', 'face' ) ),
-# basefont
+		# basefont
-# 15.3
+		# 15.3
-'hr'         => array_merge( $common, array( 'noshade', 'size', 'width' ) ),
+		'hr'         => array_merge( $common, array( 'noshade', 'size', 'width' ) ),
-# XHTML Ruby annotation text module, simple ruby only.
+		# XHTML Ruby annotation text module, simple ruby only.
-# http://www.w3c.org/TR/ruby/
+		# http://www.w3c.org/TR/ruby/
-'ruby'       => $common,
+		'ruby'       => $common,
-# rbc
+		# rbc
-# rtc
+		# rtc
-'rb'         => $common,
+		'rb'         => $common,
-'rt'         => $common, #array_merge( $common, array( 'rbspan' ) ),
+		'rt'         => $common, #array_merge( $common, array( 'rbspan' ) ),
-'rp'         => $common,
+		'rp'         => $common,
-# For compatibility with the XHTML parser.
+		# For compatibility with the XHTML parser.
-'nowiki'     => array(),
+		'nowiki'     => array(),
-'noinclude'  => array(),
+		'noinclude'  => array(),
-'nodisplay'  => array(),
+		'nodisplay'  => array(),
-'lang'       => array('code'),
+		'lang'       => array('code'),
-# XHTML stuff
+		# XHTML stuff
-'acronym'    => $common
+		'acronym'    => $common
-);
+		);
-// custom tags can be added by plugins
+	// custom tags can be added by plugins
-$code = $plugins->setHook('html_attribute_whitelist');
+	$code = $plugins->setHook('html_attribute_whitelist');
-foreach ( $code as $cmd )
+	foreach ( $code as $cmd )
-{
+	{
-eval($cmd);
+		eval($cmd);
-}
+	}
-return $whitelist;
+	return $whitelist;
 }
 /**
 * Given a value escape it so that it can be used in an id attribute and
 * return it, this does not validate the value however (see first link)
 *
 * @param string $id
 * @return string
 */
 function escapeId( $id ) {
-static $replace = array(
+	static $replace = array(
-'%3A' => ':',
+		'%3A' => ':',
-'%' => '.'
+		'%' => '.'
-);
+	);
-$id = urlencode( decodeCharReferences( strtr( $id, ' ', '_' ) ) );
+	$id = urlencode( decodeCharReferences( strtr( $id, ' ', '_' ) ) );
-return str_replace( array_keys( $replace ), array_values( $replace ), $id );
+	return str_replace( array_keys( $replace ), array_values( $replace ), $id );
 }
 /**
 * More or less "markup-safe" explode()
 * Ignores any instances of the separator inside <...>
 * @param string $separator
 * @param string $text
 * @return array
 */
 function wfExplodeMarkup( $separator, $text ) {
-$placeholder = "\x00";
+	$placeholder = "\x00";
-// Just in case...
+	// Just in case...
-$text = str_replace( $placeholder, '', $text );
+	$text = str_replace( $placeholder, '', $text );
-// Trim stuff
+	// Trim stuff
-$replacer = new ReplacerCallback( $separator, $placeholder );
+	$replacer = new ReplacerCallback( $separator, $placeholder );
-$cleaned = preg_replace_callback( '/(<.*?>)/', array( $replacer, 'go' ), $text );
+	$cleaned = preg_replace_callback( '/(<.*?>)/', array( $replacer, 'go' ), $text );
-$items = explode( $separator, $cleaned );
+	$items = explode( $separator, $cleaned );
-foreach( $items as $i => $str ) {
+	foreach( $items as $i => $str ) {
-$items[$i] = str_replace( $placeholder, $separator, $str );
+		$items[$i] = str_replace( $placeholder, $separator, $str );
-}
+	}
-return $items;
+	return $items;
 }
 class ReplacerCallback {
-function ReplacerCallback( $from, $to ) {
+	function ReplacerCallback( $from, $to ) {
-$this->from = $from;
+		$this->from = $from;
-$this->to = $to;
+		$this->to = $to;
-}
+	}
-function go( $matches ) {
+	function go( $matches ) {
-return str_replace( $this->from, $this->to, $matches[1] );
+		return str_replace( $this->from, $this->to, $matches[1] );
-}
+	}
 }
 /**
 * Return an associative array of attribute names and values from
 * a partial tag string. Attribute names are forces to lowercase,
 *
 * @param string
 * @return array
 */
 function decodeTagAttributes( $text ) {
-$attribs = array();
+	$attribs = array();
-if( trim( $text ) == '' ) {
+	if( trim( $text ) == '' ) {
-return $attribs;
+		return $attribs;
-}
+	}
-$pairs = array();
+	$pairs = array();
-if( !preg_match_all(
+	if( !preg_match_all(
-MW_ATTRIBS_REGEX,
+		MW_ATTRIBS_REGEX,
-$text,
+		$text,
-$pairs,
+		$pairs,
-PREG_SET_ORDER ) ) {
+		PREG_SET_ORDER ) ) {
-return $attribs;
+		return $attribs;
-}
+	}
-foreach( $pairs as $set ) {
+	foreach( $pairs as $set ) {
-$attribute = strtolower( $set[1] );
+		$attribute = strtolower( $set[1] );
-$value = getTagAttributeCallback( $set );
+		$value = getTagAttributeCallback( $set );
-// Normalize whitespace
+		// Normalize whitespace
-$value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
+		$value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
-$value = trim( $value );
+		$value = trim( $value );
-// Decode character references
+		// Decode character references
-$attribs[$attribute] = decodeCharReferences( $value );
+		$attribs[$attribute] = decodeCharReferences( $value );
-}
+	}
-return $attribs;
+	return $attribs;
 }
 /**
 * Pick the appropriate attribute value from a match set from the
 * MW_ATTRIBS_REGEX matches.
 * @param array $set
 * @return string
 * @access private
 */
 function getTagAttributeCallback( $set ) {
-if( isset( $set[6] ) ) {
+	if( isset( $set[6] ) ) {
-# Illegal #XXXXXX color with no quotes.
+		# Illegal #XXXXXX color with no quotes.
-return $set[6];
+		return $set[6];
-} elseif( isset( $set[5] ) ) {
+	} elseif( isset( $set[5] ) ) {
-# No quotes.
+		# No quotes.
-return $set[5];
+		return $set[5];
-} elseif( isset( $set[4] ) ) {
+	} elseif( isset( $set[4] ) ) {
-# Single-quoted
+		# Single-quoted
-return $set[4];
+		return $set[4];
-} elseif( isset( $set[3] ) ) {
+	} elseif( isset( $set[3] ) ) {
-# Double-quoted
+		# Double-quoted
-return $set[3];
+		return $set[3];
-} elseif( !isset( $set[2] ) ) {
+	} elseif( !isset( $set[2] ) ) {
-# In XHTML, attributes must have a value.
+		# In XHTML, attributes must have a value.
-# For 'reduced' form, return explicitly the attribute name here.
+		# For 'reduced' form, return explicitly the attribute name here.
-return $set[1];
+		return $set[1];
-} else {
+	} else {
-die_friendly('Parser error', "<p>Tag conditions not met. This should never happen and is a bug.</p>" );
+		die_friendly('Parser error', "<p>Tag conditions not met. This should never happen and is a bug.</p>" );
-}
+	}
 }
 /**
 * Strips and renders nowiki, pre, math, hiero
 * If $render is set, performs necessary rendering operations on plugins
 *  used to prevent stipping of <gallery> when saving (fixes bug 2700)
 *
 * @access private
 */
 function mwStrip( $text, &$state, $stripcomments = false , $dontstrip = array () ) {
-global $wgRandomKey;
+	global $wgRandomKey;
-$render = true;
+	$render = true;
-$wgRandomKey = "\x07UNIQ" . dechex(mt_rand(0, 0x7fffffff)) . dechex(mt_rand(0, 0x7fffffff));
+	$wgRandomKey = "\x07UNIQ" . dechex(mt_rand(0, 0x7fffffff)) . dechex(mt_rand(0, 0x7fffffff));
-$uniq_prefix =& $wgRandomKey;
+	$uniq_prefix =& $wgRandomKey;
-$commentState = array();
+	$commentState = array();
-$elements = array( 'nowiki', 'gallery' );
+	$elements = array( 'nowiki', 'gallery' );
-# Removing $dontstrip tags from $elements list (currently only 'gallery', fixing bug 2700)
+	# Removing $dontstrip tags from $elements list (currently only 'gallery', fixing bug 2700)
-foreach ( $elements AS $k => $v ) {
+	foreach ( $elements AS $k => $v ) {
-if ( !in_array ( $v , $dontstrip ) ) continue;
+		if ( !in_array ( $v , $dontstrip ) ) continue;
-unset ( $elements[$k] );
+		unset ( $elements[$k] );
-}
+	}
-$matches = array();
+	$matches = array();
-$text = extractTagsAndParams( $elements, $text, $matches, $uniq_prefix );
+	$text = extractTagsAndParams( $elements, $text, $matches, $uniq_prefix );
-foreach( $matches as $marker => $data ) {
+	foreach( $matches as $marker => $data ) {
-list( $element, $content, $params, $tag ) = $data;
+		list( $element, $content, $params, $tag ) = $data;
-if( $render ) {
+		if( $render ) {
-$tagName = strtolower( $element );
+			$tagName = strtolower( $element );
-switch( $tagName ) {
+			switch( $tagName ) {
-case '!--':
+			case '!--':
-// Comment
+				// Comment
-if( substr( $tag, -3 ) == '-->' ) {
+				if( substr( $tag, -3 ) == '-->' ) {
-$output = $tag;
+					$output = $tag;
-} else {
+				} else {
-// Unclosed comment in input.
+					// Unclosed comment in input.
-// Close it so later stripping can remove it
+					// Close it so later stripping can remove it
-$output = "$tag-->";
+					$output = "$tag-->";
-}
+				}
-break;
+				break;
-case 'html':
+			case 'html':
-if( $wgRawHtml ) {
+				if( $wgRawHtml ) {
-$output = $content;
+					$output = $content;
-break;
+					break;
-}
+				}
-// Shouldn't happen otherwise. :)
+				// Shouldn't happen otherwise. :)
-case 'nowiki':
+			case 'nowiki':
-$output = wfEscapeHTMLTagsOnly( $content );
+				$output = wfEscapeHTMLTagsOnly( $content );
-break;
+				break;
-default:
+			default:
-}
+			}
-} else {
+		} else {
-// Just stripping tags; keep the source
+			// Just stripping tags; keep the source
-$output = $tag;
+			$output = $tag;
-}
+		}
-// Unstrip the output, because unstrip() is no longer recursive so
+		// Unstrip the output, because unstrip() is no longer recursive so
-// it won't do it itself
+		// it won't do it itself
-$output = unstrip( $output, $state );
+		$output = unstrip( $output, $state );
-if( !$stripcomments && $element == '!--' ) {
+		if( !$stripcomments && $element == '!--' ) {
-$commentState[$marker] = $output;
+			$commentState[$marker] = $output;
-} elseif ( $element == 'html' || $element == 'nowiki' ) {
+		} elseif ( $element == 'html' || $element == 'nowiki' ) {
-$state['nowiki'][$marker] = $output;
+			$state['nowiki'][$marker] = $output;
-} else {
+		} else {
-$state['general'][$marker] = $output;
+			$state['general'][$marker] = $output;
-}
+		}
-}
+	}
-# Unstrip comments unless explicitly told otherwise.
+	# Unstrip comments unless explicitly told otherwise.
-# (The comments are always stripped prior to this point, so as to
+	# (The comments are always stripped prior to this point, so as to
-# not invoke any extension tags / parser hooks contained within
+	# not invoke any extension tags / parser hooks contained within
-# a comment.)
+	# a comment.)
-if ( !$stripcomments ) {
+	if ( !$stripcomments ) {
-// Put them all back and forget them
+		// Put them all back and forget them
-$text = strtr( $text, $commentState );
+		$text = strtr( $text, $commentState );
-}
+	}
-return $text;
+	return $text;
 }
 /**
 * Replaces all occurrences of HTML-style comments and the given tags
 * in the text with a random marker and returns teh next text. The output
 *
 * @access private
 * @static
 */
 function extractTagsAndParams($elements, $text, &$matches, $uniq_prefix = ''){
-static $n = 1;
+	static $n = 1;
-$stripped = '';
+	$stripped = '';
-$matches = array();
+	$matches = array();
-$taglist = implode( '|', $elements );
+	$taglist = implode( '|', $elements );
-$start = "/<($taglist)(\\s+[^>]*?|\\s*?)(\/?>)|<(!--)/i";
+	$start = "/<($taglist)(\\s+[^>]*?|\\s*?)(\/?>)|<(!--)/i";
-while ( '' != $text ) {
+	while ( '' != $text ) {
-$p = preg_split( $start, $text, 2, PREG_SPLIT_DELIM_CAPTURE );
+		$p = preg_split( $start, $text, 2, PREG_SPLIT_DELIM_CAPTURE );
-$stripped .= $p[0];
+		$stripped .= $p[0];
-if( count( $p ) < 5 ) {
+		if( count( $p ) < 5 ) {
-break;
+			break;
-}
+		}
-if( count( $p ) > 5 ) {
+		if( count( $p ) > 5 ) {
-// comment
+			// comment
-$element    = $p[4];
+			$element    = $p[4];
-$attributes = '';
+			$attributes = '';
-$close      = '';
+			$close      = '';
-$inside     = $p[5];
+			$inside     = $p[5];
-} else {
+		} else {
-// tag
+			// tag
-$element    = $p[1];
+			$element    = $p[1];
-$attributes = $p[2];
+			$attributes = $p[2];
-$close      = $p[3];
+			$close      = $p[3];
-$inside     = $p[4];
+			$inside     = $p[4];
-}
+		}
-$marker = "$uniq_prefix-$element-" . sprintf('%08X', $n++) . '-QINU';
+		$marker = "$uniq_prefix-$element-" . sprintf('%08X', $n++) . '-QINU';
-$stripped .= $marker;
+		$stripped .= $marker;
-if ( $close === '/>' ) {
+		if ( $close === '/>' ) {
-// Empty element tag, <tag />
+			// Empty element tag, <tag />
-$content = null;
+			$content = null;
-$text = $inside;
+			$text = $inside;
-$tail = null;
+			$tail = null;
-} else {
+		} else {
-if( $element == '!--' ) {
+			if( $element == '!--' ) {
-$end = '/(-->)/';
+				$end = '/(-->)/';
-} else {
+			} else {
-$end = "/(<\\/$element\\s*>)/i";
+				$end = "/(<\\/$element\\s*>)/i";
-}
+			}
-$q = preg_split( $end, $inside, 2, PREG_SPLIT_DELIM_CAPTURE );
+			$q = preg_split( $end, $inside, 2, PREG_SPLIT_DELIM_CAPTURE );
-$content = $q[0];
+			$content = $q[0];
-if( count( $q ) < 3 ) {
+			if( count( $q ) < 3 ) {
-# No end tag -- let it run out to the end of the text.
+				# No end tag -- let it run out to the end of the text.
-$tail = '';
+				$tail = '';
-$text = '';
+				$text = '';
-} else {
+			} else {
-$tail = $q[1];
+				$tail = $q[1];
-$text = $q[2];
+				$text = $q[2];
-}
+			}
-}
+		}
-$matches[$marker] = array( $element,
+		$matches[$marker] = array( $element,
-$content,
+			$content,
-decodeTagAttributes( $attributes ),
+			decodeTagAttributes( $attributes ),
-"<$element$attributes$close$content$tail" );
+			"<$element$attributes$close$content$tail" );
-}
+	}
-return $stripped;
+	return $stripped;
 }
 /**
 * Escape html tags
 * Basically replacing " > and < with HTML entities ( &quot;, &gt;, &lt;)
 *
 * @param $in String: text that might contain HTML tags.
 * @return string Escaped string
 */
 function wfEscapeHTMLTagsOnly( $in ) {
-return str_replace(
+	return str_replace(
-array( '"', '>', '<' ),
+		array( '"', '>', '<' ),
-array( '&quot;', '&gt;', '&lt;' ),
+		array( '&quot;', '&gt;', '&lt;' ),
-$in );
+		$in );
 }
 /**
 * Restores pre, math, and other extensions removed by strip()
 *
 * always call unstripNoWiki() after this one
 * @private
 */
 function unstrip( $text, &$state ) {
-if ( !isset( $state['general'] ) ) {
+	if ( !isset( $state['general'] ) ) {
-return $text;
+		return $text;
-}
+	}
-# TODO: good candidate for FSS
+	# TODO: good candidate for FSS
-$text = strtr( $text, $state['general'] );
+	$text = strtr( $text, $state['general'] );
-return $text;
+	return $text;
 }
 /**
 * Return UTF-8 string for a codepoint if that is a valid
 * character reference, otherwise U+FFFD REPLACEMENT CHARACTER.
 * @param int $codepoint
 * @return string
 * @private
 */
 function decodeChar( $codepoint ) {
-if( validateCodepoint( $codepoint ) ) {
+	if( validateCodepoint( $codepoint ) ) {
-return codepointToUtf8( $codepoint );
+		return codepointToUtf8( $codepoint );
-} else {
+	} else {
-return UTF8_REPLACEMENT;
+		return UTF8_REPLACEMENT;
-}
+	}
 }
 /**
 * If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD,
 * return the UTF-8 encoding of that character. Otherwise, returns
 *
 * @param string $name
 * @return string
 */
 function decodeEntity( $name ) {
-global $wgHtmlEntities;
+	global $wgHtmlEntities;
-if( isset( $wgHtmlEntities[$name] ) ) {
+	if( isset( $wgHtmlEntities[$name] ) ) {
-return codepointToUtf8( $wgHtmlEntities[$name] );
+		return codepointToUtf8( $wgHtmlEntities[$name] );
-} else {
+	} else {
-return "&$name;";
+		return "&$name;";
-}
+	}
 }
 /**
 * Returns true if a given Unicode codepoint is a valid character in XML.
 * @param int $codepoint
 * @return bool
 */
 function validateCodepoint( $codepoint ) {
-return ($codepoint ==    0x09)
+	return ($codepoint ==    0x09)
-|| ($codepoint ==    0x0a)
+		|| ($codepoint ==    0x0a)
-|| ($codepoint ==    0x0d)
+		|| ($codepoint ==    0x0d)
-|| ($codepoint >=    0x20 && $codepoint <=   0xd7ff)
+		|| ($codepoint >=    0x20 && $codepoint <=   0xd7ff)
-|| ($codepoint >=  0xe000 && $codepoint <=   0xfffd)
+		|| ($codepoint >=  0xe000 && $codepoint <=   0xfffd)
-|| ($codepoint >= 0x10000 && $codepoint <= 0x10ffff);
+		|| ($codepoint >= 0x10000 && $codepoint <= 0x10ffff);
 }
 /**
 * Return UTF-8 sequence for a given Unicode code point.
 * May die if fed out of range data.
 *
 * @param $codepoint Integer:
 /**
 * @param string $matches
 * @return string
 */
 function decodeCharReferencesCallback( $matches ) {
-if( $matches[1] != '' ) {
+	if( $matches[1] != '' ) {
-return decodeEntity( $matches[1] );
+		return decodeEntity( $matches[1] );
-} elseif( $matches[2] != '' ) {
+	} elseif( $matches[2] != '' ) {
-return  decodeChar( intval( $matches[2] ) );
+		return  decodeChar( intval( $matches[2] ) );
-} elseif( $matches[3] != ''  ) {
+	} elseif( $matches[3] != ''  ) {
-return  decodeChar( hexdec( $matches[3] ) );
+		return  decodeChar( hexdec( $matches[3] ) );
-} elseif( $matches[4] != '' ) {
+	} elseif( $matches[4] != '' ) {
-return  decodeChar( hexdec( $matches[4] ) );
+		return  decodeChar( hexdec( $matches[4] ) );
-}
+	}
-# Last case should be an ampersand by itself
+	# Last case should be an ampersand by itself
-return $matches[0];
+	return $matches[0];
 }

changeset 1227	bdac73ed481e
parent 1127	4b858862c35c
child 1382	78fbedb876f3