PHP Sanitizer::safeEncodeTagAttributes方法代码示例

 /**
  * Override the title of the page when viewed, provided we've been given a
  * title which will normalise to the canonical title
  *
  * @param Parser $parser Parent parser
  * @param string $text Desired title text
  * @param string $uarg
  * @return string
  */
 public static function displaytitle($parser, $text = '', $uarg = '')
 {
     global $wgRestrictDisplayTitle;
     static $magicWords = null;
     if (is_null($magicWords)) {
         $magicWords = new MagicWordArray(['displaytitle_noerror', 'displaytitle_noreplace']);
     }
     $arg = $magicWords->matchStartToEnd($uarg);
     // parse a limited subset of wiki markup (just the single quote items)
     $text = $parser->doQuotes($text);
     // remove stripped text (e.g. the UNIQ-QINU stuff) that was generated by tag extensions/whatever
     $text = $parser->killMarkers($text);
     // list of disallowed tags for DISPLAYTITLE
     // these will be escaped even though they are allowed in normal wiki text
     $bad = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'blockquote', 'ol', 'ul', 'li', 'hr', 'table', 'tr', 'th', 'td', 'dl', 'dd', 'caption', 'p', 'ruby', 'rb', 'rt', 'rtc', 'rp', 'br'];
     // disallow some styles that could be used to bypass $wgRestrictDisplayTitle
     if ($wgRestrictDisplayTitle) {
         $htmlTagsCallback = function (&$params) {
             $decoded = Sanitizer::decodeTagAttributes($params);
             if (isset($decoded['style'])) {
                 // this is called later anyway, but we need it right now for the regexes below to be safe
                 // calling it twice doesn't hurt
                 $decoded['style'] = Sanitizer::checkCss($decoded['style']);
                 if (preg_match('/(display|user-select|visibility)\\s*:/i', $decoded['style'])) {
                     $decoded['style'] = '/* attempt to bypass $wgRestrictDisplayTitle */';
                 }
             }
             $params = Sanitizer::safeEncodeTagAttributes($decoded);
         };
     } else {
         $htmlTagsCallback = null;
     }
     // only requested titles that normalize to the actual title are allowed through
     // if $wgRestrictDisplayTitle is true (it is by default)
     // mimic the escaping process that occurs in OutputPage::setPageTitle
     $text = Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($text, $htmlTagsCallback, [], [], $bad));
     $title = Title::newFromText(Sanitizer::stripAllTags($text));
     if (!$wgRestrictDisplayTitle || $title instanceof Title && !$title->hasFragment() && $title->equals($parser->mTitle)) {
         $old = $parser->mOutput->getProperty('displaytitle');
         if ($old === false || $arg !== 'displaytitle_noreplace') {
             $parser->mOutput->setDisplayTitle($text);
         }
         if ($old !== false && $old !== $text && !$arg) {
             $converter = $parser->getConverterLanguage()->getConverter();
             return '<span class="error">' . wfMessage('duplicate-displaytitle', $converter->markNoConversion(wfEscapeWikiText($old)), $converter->markNoConversion(wfEscapeWikiText($text)))->inContentLanguage()->text() . '</span>';
         } else {
             return '';
         }
     } else {
         $parser->addTrackingCategory('restricted-displaytitle-ignored');
         $converter = $parser->getConverterLanguage()->getConverter();
         return '<span class="error">' . wfMessage('restricted-displaytitle', $converter->markNoConversion(wfEscapeWikiText($text)))->inContentLanguage()->text() . '</span>';
     }
 }

 /**
  * Take a tag soup fragment listing an HTML element's attributes
  * and normalize it to well-formed XML, discarding unwanted attributes.
  * Output is safe for further wikitext processing, with escaping of
  * values that could trigger problems.
  *
  * - Normalizes attribute names to lowercase
  * - Discards attributes not on a whitelist for the given element
  * - Turns broken or invalid entities into plaintext
  * - Double-quotes all attribute values
  * - Attributes without values are given the name as attribute
  * - Double attributes are discarded
  * - Unsafe style attributes are discarded
  * - Prepends space if there are attributes.
  *
  * @param string $text
  * @param string $element
  * @return string
  */
 static function fixTagAttributes($text, $element)
 {
     if (trim($text) == '') {
         return '';
     }
     $decoded = Sanitizer::decodeTagAttributes($text);
     $stripped = Sanitizer::validateTagAttributes($decoded, $element);
     return Sanitizer::safeEncodeTagAttributes($stripped);
 }

 /**
  * Override the title of the page when viewed, provided we've been given a
  * title which will normalise to the canonical title
  *
  * @param $parser Parser: parent parser
  * @param string $text desired title text
  * @return String
  */
 static function displaytitle($parser, $text = '')
 {
     global $wgRestrictDisplayTitle;
     // parse a limited subset of wiki markup (just the single quote items)
     $text = $parser->doQuotes($text);
     // remove stripped text (e.g. the UNIQ-QINU stuff) that was generated by tag extensions/whatever
     $text = preg_replace('/' . preg_quote($parser->uniqPrefix(), '/') . '.*?' . preg_quote(Parser::MARKER_SUFFIX, '/') . '/', '', $text);
     // list of disallowed tags for DISPLAYTITLE
     // these will be escaped even though they are allowed in normal wiki text
     $bad = array('h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'blockquote', 'ol', 'ul', 'li', 'hr', 'table', 'tr', 'th', 'td', 'dl', 'dd', 'caption', 'p', 'ruby', 'rb', 'rt', 'rp', 'br');
     // disallow some styles that could be used to bypass $wgRestrictDisplayTitle
     if ($wgRestrictDisplayTitle) {
         $htmlTagsCallback = function (&$params) {
             $decoded = Sanitizer::decodeTagAttributes($params);
             if (isset($decoded['style'])) {
                 // this is called later anyway, but we need it right now for the regexes below to be safe
                 // calling it twice doesn't hurt
                 $decoded['style'] = Sanitizer::checkCss($decoded['style']);
                 if (preg_match('/(display|user-select|visibility)\\s*:/i', $decoded['style'])) {
                     $decoded['style'] = '/* attempt to bypass $wgRestrictDisplayTitle */';
                 }
             }
             $params = Sanitizer::safeEncodeTagAttributes($decoded);
         };
     } else {
         $htmlTagsCallback = null;
     }
     // only requested titles that normalize to the actual title are allowed through
     // if $wgRestrictDisplayTitle is true (it is by default)
     // mimic the escaping process that occurs in OutputPage::setPageTitle
     $text = Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($text, $htmlTagsCallback, array(), array(), $bad));
     $title = Title::newFromText(Sanitizer::stripAllTags($text));
     if (!$wgRestrictDisplayTitle) {
         $parser->mOutput->setDisplayTitle($text);
     } elseif ($title instanceof Title && !$title->hasFragment() && $title->equals($parser->mTitle)) {
         $parser->mOutput->setDisplayTitle($text);
     }
     return '';
 }

 /**
  * Hook to provide syntax highlighting for API pretty-printed output
  *
  * @param IContextSource $context
  * @param string $text
  * @param string $mime
  * @param string $format
  * @since MW 1.24
  */
 public static function onApiFormatHighlight(IContextSource $context, $text, $mime, $format)
 {
     if (!isset(self::$mimeLexers[$mime])) {
         return true;
     }
     $lexer = self::$mimeLexers[$mime];
     $status = self::highlight($text, $lexer);
     if (!$status->isOK()) {
         return true;
     }
     $out = $status->getValue();
     if (preg_match('/^<pre([^>]*)>/i', $out, $m)) {
         $attrs = Sanitizer::decodeTagAttributes($m[1]);
         $attrs['class'] .= ' api-pretty-content';
         $encodedAttrs = Sanitizer::safeEncodeTagAttributes($attrs);
         $out = '<pre' . $encodedAttrs . '>' . substr($out, strlen($m[0]));
     }
     $output = $context->getOutput();
     $output->addModuleStyles('ext.pygments');
     $output->addHTML('<div dir="ltr">' . $out . '</div>');
     // Inform MediaWiki that we have parsed this page and it shouldn't mess with it.
     return false;
 }

 /**
  * Hook to provide syntax highlighting for API pretty-printed output
  *
  * @param IContextSource $context
  * @param string $text
  * @param string $mime
  * @param string $format
  * @since MW 1.24
  */
 public static function apiFormatHighlight(IContextSource $context, $text, $mime, $format)
 {
     switch ($mime) {
         case 'text/javascript':
         case 'application/json':
             $lang = 'javascript';
             break;
         case 'text/xml':
             $lang = 'xml';
             break;
         default:
             // Don't know how to handle this
             return true;
     }
     $geshi = self::prepare($text, $lang);
     if ($geshi instanceof GeSHi) {
         $out = $geshi->parse_code();
         if (!$geshi->error()) {
             if (preg_match('/^<pre([^>]*)>/i', $out, $m)) {
                 $attrs = Sanitizer::decodeTagAttributes($m[1]);
                 $attrs['class'] .= ' api-pretty-content';
                 $out = '<pre' . Sanitizer::safeEncodeTagAttributes($attrs) . '>' . substr($out, strlen($m[0]));
             }
             $output = $context->getOutput();
             $output->addModuleStyles(array("ext.geshi.language.{$lang}", 'ext.geshi.local'));
             $output->addHTML("<div dir=\"ltr\">{$out}</div>");
             // Inform MediaWiki that we have parsed this page and it shouldn't mess with it.
             return false;
         }
     }
     // Bottle out
     return true;
 }